Pairing computation device, pairing computation method and recording  medium storing pairing computation program

ABSTRACT

There is provided a pairing computation device provided with a CPU which computes pairing e (S, Q) with S∈G 1 , Q∈G 2 , χ being a given integer variable, and F being a rational function calculated using Miller&#39;s algorithm with respect to multi-pairing (MMA). An order r, a trace t of the Frobenius endomorphism φ p  are specified preliminarily using the integer variable χ according to an embedding degree k. The CPU performs pairing computation by means of: an input unit which inputs the integer variable χ, the rational point S, and the rational point Q into respective predetermined registers; a computation unit which computes F; a computation unit which computes a value at a rational point Q(x Q , y Q ) of a straight line passing through given rational points; a computation unit which computes f′  χ,S (Q) using the aforementioned F and the value; and a computation unit which computes the pairing e(S, Q) using aforementioned f′  χ,S (Q) as [F83]. 
     [F83] 
         e ( S, Q )= f′    χ,S ( Q ) (p     k     −1)/r .

FIELD OF THE INVENTION

The present invention relates to a pairing computation device and apairing computation method which enable to perform pairing computationat high speed, and a recording medium storing a pairing computationprogram.

DESCRIPTION OF THE RELATED ART

Conventionally, when an individual user uses various kinds of servicesprovided on a network such as the Internet, there are some cases whereauthentication procedure using ID and password set preliminarily foreach individual user is requested. The authentication procedure likethis is for confirming, in general, that an individual user is a normaluser and the authentication processing for the authentication procedureis performed by an authentication server.

Recently, with the use of digital signature technology, user-specificdigital signature data is added to each individual data per se to makeit possible to assure that data used by an individual user is notfalsified by a third party or is not leaked to a third party.Accordingly, even high confidential information has been safely handledon a network.

On the other hand, in the digital signature, since an individual user isidentified along with authentication processing by an authenticationserver, each time the authentication processing is performed, a historyof each individual user is sequentially accumulated as information onthe authentication server. Therefore, since personal information such aswhat kind of sites did a user get access to, or what kind of servicesdid a user use is accumulated on the authentication server, adequateattention is paid so that any such information should not be leaked fromthe point of view of personal information protection.

In order to resolve the accumulation of history information about anindividual user which arises from employing this digital signature,there has been proposed to employ digital group signature which isextended from the digital signature.

In a case where the digital group signature is employed, an individualuser transmits anonymously signature data which certifies only that theindividual user belongs to a certain group to an authentication server,and the authentication server authenticates that the individual userbelongs to a certain group without identifying individual user from thereceived signature data. Therefore, the authentication server blocksunfair use by individual user who does not belong to the group on onehand, and authenticates individual user without accumulating historyinformation about each individual user on the other hand.

In the anonymous authentication in the digital group signature, paringcomputation is employed.

Paring computation is a computation using a function of two inputs andone output. For example, letting S be a rational point over a primefield F_(p), Q be a rational point over a k-th extension field F_(p)^(k), by inputting two rational points S and Q, an element z over anextension field F*_(p) ^(k) is outputted. And yet, authentication isperformed by using a property of bilinearity that when a times ofrational point S and b times of rational point Q are inputted, z to thepower of ab is outputted. Here, “k” is called an embedding degree, and“F*_(p) ^(k)” is meant to be correctly displayed in mathematicalnotation as [F31]

F*_(p) ^(k)

However, due to display restrictions, it is denoted as F*_(p) ^(k).

Generally, for rational points S and Q, points on an elliptic curve areused respectively. The pairing computation of points on an ellipticcurve is constituted of a step which computes using Miller's algorithmand a step which performs an exponentiation with respect to a result ofthe computation.

In the digital group signature, when performing authenticationprocessing of access right of an individual user who belongs to a group,after having performed pairing computation to exclude individual userswho have lost access rights, authentication processing is performed byperforming pairing computation of the given individual user and hence,it has been possible to respond flexibly to attributes changes due toissuance and expiration of access right for each individual user.

Therefore, in a case of digital group signature where a group isconstituted of, for example, 10,000 individual users, if there are 100individual users who have lost their access rights, it is necessary toperform 100 pairing computations. Since there needs about 0.1 second perone pairing computation performed by present general electroniccomputer, 100 pairing computations require about 10 seconds.Accordingly, in practical use, the number of individual users is limitedand hence, the digital group signature has not been widely used.

Accordingly, in order to enhance usefulness of the digital groupsignature by increasing computation speed of the pairing computation,there have been proposed techniques which try to realize high-speedcomputation by, for example, employing Tate pairing computation methodwhich is defined on an elliptic curve as pairing computation to reducecomputation load (For example, see JP 2005-316267A.).

SUMMARY OF THE INVENTION

However, speeding up of pairing computation currently proposed is notyet sufficient and further speeding up of the paring computation hasbeen sought.

The inventors, in view of the present situation, have done research anddevelopment to speed up pairing computation and have made the presentinvention.

According to an aspect of the present invention, there is provided apairing computation device, in which, as described in claim 1, anelliptic curve is given as y²=x³+ax+b, a∈F_(p), b∈F_(p), letting k be anembedding degree, E be an additive group constituted of rational pointson the pairing enabled elliptic curve defined over an extension fieldF_(p) ^(k), E[r] be a set of rational points having a prime order r, andφ_(p) be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p)−[p]),

as a non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ^(k)/(F* _(p) ^(k))^(r), and

the pairing computation device comprises a CPU which computes thepairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable,and F be a rational function which is calculated using Miller'salgorithm with respect to multi-pairing (MMA),

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified preliminarily according to the embedding degree k using theinteger variable χ, and

the CPU includes:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a computation unit which computes F;

a computation unit which computes a value of a straight line passingthrough given rational points at a rational point Q(x_(Q), y_(Q));

a computation unit which computes f′ _(χ,S)(Q) using said F and saidvalue;

and

a computation unit which computes the pairing e(S, Q) using said f′_(χ,S)(Q) as

[F32]

e(S, Q)=f′ _(χ,S)(Q)^(p) ^(k) ^(−1)/r).

According to a further aspect of the present invention, there isprovided a pairing computation method, in which, as described in claim2, an elliptic curve is given as y²=x³+ax+b, a∈F_(p), b∈F_(p), letting kbe an embedding degree, E be an additive group constituted of rationalpoints on the pairing enabled elliptic curve defined over an extensionfield F_(p) ^(k), E[r] be a set of rational points having a prime orderr, and φ_(p) be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ^(k)/(F* _(p) ^(k))^(r),

an electronic computer which includes a CPU computes the pairing e(S,Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable, and F be arational function which is calculated using Miller's algorithm withrespect to multi-pairing (MMA),

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified preliminarily according to the embedding degree k using theinteger variable χ, and

the pairing computation method comprises:

a step of inputting the integer variable χ, the rational point S, andthe rational point Q into respective predetermined registers by causingthe CPU of the electronic computer to function as an input unit;

a step of computing F by causing the CPU of the electronic computer tofunction as a computation unit;

a step of computing a value of a straight line passing through givenrational points at a rational point Q (x_(Q), y_(Q)) by causing the CPUof the electronic computer to function as a computation unit;

a step of computing f′ _(χ,S)(Q) using said F and said value by causingthe CPU of the electronic computer to function as a computation unit;and

a step of computing the pairing e(S, Q) using said f′ _(χ,S)(Q) as

[F33]

e(S, Q)=f′ _(102 ,S)(Q)^((p) ^(k) ^(−1)/r)

by causing the CPU of the electronic computer to function as acomputation unit.

According to a further aspect of the present invention, there isprovided a pairing computation program stored in a recording medium, inwhich, as described in claim 3,

an elliptic curve is given as y²=x³+ax+b, a∈_(p), b∈F_(p), letting k bean embedding degree, E be an additive group constituted of rationalpoints on the pairing enabled elliptic curve defined over an extensionfield F_(p) ^(k), E[r] be a set of rational points having a prime orderr, and φ_(p) be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ^(k)/(F* _(p) ^(k))^(r), and

the pairing computation program causes an electronic computer whichincludes a CPU to compute the pairing e(S, Q), by letting S∈G₁, Q∈G₂, χbe a given integer variable, and F be a rational function which iscalculated using Miller's algorithm with respect to multi-pairing (MMA),

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified preliminarily according to the embedding degree k using theinteger variable χ, and

the pairing computation program causes the CPU of the electroniccomputer to function as:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a computation unit which computes F;

a computation unit which computes a value of a straight line passingthrough given rational points at a rational point Q(x_(Q), y_(Q));

a computation unit which computes f′ _(χ,S)(Q) using said F and saidvalue;

and

a computation unit which computes the pairing e(S, Q) using said f′_(χ,S)(Q) as

[F34]

e(S, Q)=f′ _(χ,S)(Q)^((p) ^(k) ^(−1)/r).

According to a further aspect of the present invention, there isprovided a pairing computation device, in which, as described in claim4,

an elliptic curve is given as y²=x³+b, b∈F_(p), letting an embeddingdegree be 12, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)¹², E[r] be a set of rational points having a prime order r, and φ_(p)be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as a non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ¹²/(F* _(p) ¹²)^(r), and

the pairing computation device comprises a CPU which computes thepairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable,Z_(S) be a set of rational points S and pS, Z_(Q) be a set of rationalpoints pQ and Q, and F₂ _(χ,ZS)(Z_(Q)) be a rational function which iscalculated using Miller's algorithm with respect to multi-pairing (MMA),

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=36χ⁴−36χ³+18χ²−6χ+1,

t(χ)=6χ²+1,

and a representation of the integer variable χ using p¹⁰ with p as acharacteristic is

p≡(2χ−1)p¹⁰+2χ(modr(χ)), and

the CPU includes:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a first computation unit which computes F_(2χ,ZS)(Z_(Q));

a second computation unit which computes given rational points using 2χSand 2χpS which are calculated when computing said F_(2χ, ZS)(Z_(Q));

a third computation unit which computes a value at a rational pointQ(x_(Q), y_(Q)) of a straight line passing through the given rationalpoints;

a fourth computation unit which computes f′ _(χ,S)(Q) using saidF_(2χ,ZS)(Z_(Q)) and said value; and

a fifth computation unit which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F35]

e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r).

In particular, the pairing computation device is characterized in thatthe second computation unit computes respective rational points −S,(2χ−1)S, p¹⁰((2χ−1)S), −pS, (2χ−1)pS, p¹⁰(2χ−1)pS in order usingpreviously obtained results,

the third computation unit respectively computes a value l₁ at arational point Q (x_(Q), y_(Q)) of a straight line passing throughrational points ((2 χ−1)S, −S), a value l₂ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points((2χ−1)pS, −pS), a value l₃ at the rational point Q(x_(Q), y_(Q)) of astraight line passing through rational points (p¹⁰((2χ−1)S), 2χS), and avalue l₄ at the rational point Q(x_(Q), y_(Q)) of a straight linepassing through rational points (p¹⁰((2χ−1)pS), 2χpS), and

the fourth computation unit computes f′ _(χ,S)(Q) as

[F36]

f′ _(χ,S)(Q)={F _(2χ,Z) _(S) (Z _(Q))·{l ₁ ^(p) ·l ₂}⁻¹}^(p) ₁₀ ·F_(2χ,Z) _(S) (Z _(Q))·l ₃ ^(p) ·l ₄.

According to a further aspect of the present invention, there isprovided a pairing computation method, in which, as described in claim6,

an elliptic curve is given as y²=x³+b, b∈F_(p), letting an embeddingdegree be 12, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)¹², E[r] be a set of rational points having a prime order r, and φ_(p)be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as a non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ¹²/(F _(p) ¹²)^(r),

an electronic computer which includes a CPU computes the pairing e(S,Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable, Z_(S) be a setof rational points S and pS, Z_(Q) be a set of rational points pQ and Q,and F_(2χ,ZS)(Z_(Q)) be a rational function which is calculated usingMiller's algorithm with respect to multi-pairing (MMA),

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=36χ⁴−36χ³+18χ²−6χ+1

t(χ)=6χ²+1,

and a representation of the integer variable χ using p¹⁰ with p as acharacteristic is

p≡(2χ−1)p ¹⁰+2χ(modr(χ)), and

the pairing computation method comprises:

an input step which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers bycausing the CPU of the electronic computer to function as an input unit;

a first computation step which computes F_(2χ,ZS)(Z_(Q)) by causing theCPU of the electronic computer to function as a first computation unit;

a second computation step which computes given rational points using 2χSand 2χpS which are calculated when computing said F_(2χ,ZS)(Z_(Q)) bycausing the CPU of the electronic computer to function as a secondcomputation unit;

a third computation step which computes a value at a rational point Q(x_(Q), y_(Q)) of a straight line passing through the given rationalpoints by causing the CPU of the electronic computer to function as athird computation unit;

a fourth computation step which computes f′ _(χ,S)(Q) using saidF_(2χ,ZS)(Z_(Q)) and said value by causing the CPU of the electroniccomputer to function as a fourth computation unit; and

a fifth computation step which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F37]

e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r),

by causing the CPU of the electronic computer to function as a fifthcomputation unit.

In particular, the pairing computation method is characterized in thatthe second computation step computes respective rational points −S,(2χ−1)S, p¹⁰((2χ−1)S), −pS, (2χ−1)pS, p¹⁰((2χ−1)pS) in order usingpreviously obtained results,

the third computation step respectively computes a value l₁ at arational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points ((2 χ−1)S, −S), a value l₂ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points((2χ−1)pS, −pS), a value l₃ at the rational point Q (x_(Q), y_(Q)) of astraight line passing through rational points (p¹⁰((2χ−1)S), 2χS), and avalue l₄ at the rational point Q(x_(Q), y_(Q)) of a straight linepassing through rational points (p¹⁰((2χ−1)pS), 2χpS), and

the fourth computation step computes f′ _(χ,S)(Q) as

[F38]

F′ _(χ,S)(Q)={F _(2χ,Z) _(S) (Z _(Q))·{l ₁ ^(p) ·l ₂}⁻¹}^(p) ¹⁰ ·F_(2χ,Z) ^(S) (Z _(Q))·l ₂ ^(p) ·l ₄.

According to a further aspect of the present invention, there isprovided a pairing computation program, in which, as described in claim8, an elliptic curve is given as y²=x³+b, b∈F_(p), letting an embeddingdegree be 12, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)¹², E[r] be a set of rational points having a prime order r, and φ_(p)be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as a non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ¹²/(F* _(p) ¹²)^(r),

the pairing computation program causes an electronic computer whichincludes a CPU to compute the pairing e(S, Q), by letting S∈G₁, Q∈G₂, χbe a given integer variable, Z_(S) be a set of rational points S and pS,Z_(Q) be a set of rational points pQ and Q, and F_(2χ,ZS)(Z_(Q)) be arational function which is calculated using Miller's algorithm withrespect to multi-pairing (MMA),

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=36χ⁴−36χ³+18χ²−6χ+1,

t(χ)=6χ²+1,

and a representation of the integer variable χ using p¹⁰ with p as acharacteristic is

p≡(2χ−1)p ¹⁰+2χ(modr(χ)),

the pairing computation program causes the CPU of the electroniccomputer to function as:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a first computation unit which computes F_(2χ,ZS)(Z_(Q));

a second computation unit which computes given rational points using 2χSand 2χpS which are calculated when computing said F_(2χ,ZS)(Z_(Q));

a third computation unit which computes a value at a rational pointQ(x_(Q), y_(Q)) of a straight line passing through the given rationalpoints;

a fourth computation unit which computes f′ _(χ,S)(Q) using saidF_(2χ,ZS)(Z_(Q)) and said value; and

a fifth computation unit which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F39]

e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r).

In particular, the pairing computation program is characterized in that

the pairing computation program causes:

the CPU of the electronic computer which functions as the secondcomputation unit to compute respective rational points −S, (2χ−1)S,p¹⁰((2 χ−1)S), −pS, (2χ−1)pS, p¹⁰((2χ−1)_(PS)) in order using previouslyobtained results;

the CPU of the electronic computer which functions as the thirdcomputation unit to compute respectively a value l₁ at a rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points((2χ−1)S, −S), a value l₂ at the rational point Q(x_(Q), y_(Q)) of astraight line passing through rational points ((2χ−1)pS, −pS), a valuel₃ at the rational point Q(x_(Q), y_(Q)) of a straight line passingthrough rational points (p¹⁰((2χ−1)S), 2χS), and a value l₄ at therational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p¹⁰((2χ−1)pS, 2χpS); and

the CPU of the electronic computer which functions as the fourthcomputation unit to compute f′ _(χ,S)(Q) as

[F40]

f′ _(χ,S)(Q)=ΔF _(2χ,Z) _(S) (Z _(Q))·{l ₁ ^(p) ·l ₂}⁻¹}^(p) ¹⁰ ·F_(2χ,Z) _(S) (Z _(Q))·l ₃ ^(p) ·l ₄.

According to a further aspect of the present invention, there isprovided a pairing computation device, in which, as described in claim10,

an elliptic curve is given as y²=x³+ax, a∩F_(p), letting an embeddingdegree be 8, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)⁸, E[r] be a set of rational points having a prime order r, and φ_(p) bea Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as a non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ⁸/(F* _(p) ⁸)^(r),

the pairing computation device comprising a CPU which computes thepairing e (S, Q), by letting S∈G, Q∈G₂, χ be a given integer variable,Z_(S) be a set of rational points S and p³S, Z_(Q) be a set of rationalpoints p³Q and Q, and F_(3χ,ZS)(Z_(Q)) be a rational function which iscalculated using Miller's algorithm with respect to multi-pairing (MMA),

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=9χ⁴+12χ³+8χ²+4χ+1,

t(χ)=−9χ³−3χ²−2χ,

and a representation of the integer variable χ using p² and p³ with p asa characteristic is

p³≡p²+3χ+1(modr(χ)) and

the CPU includes:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a first computation unit which computes F_(3χ,ZS)(Z_(Q))

a second computation unit which computes respective rational pointsp²(S), p²(p³S), (3χ+1)S, (3χ+1)p²S in order using previously obtainedresults;

a third computation unit which respectively computes a value l₅ at arational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (3χS,S), a value l₆ at the rational point Q(x_(Q),y_(Q)) of a straight line passing through rational points (p²(S),(3χ+1)S), a value l₇ at the rational point Q(x_(Q), y_(Q)) of a straightline passing through rational points (3χp³S, p²S), and a value l₈ at therational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p² (p₃S), (3χ+1)p³S);

the fourth computation unit which computes f′ _(χ,S)(Q) using acomputation result of the first computation unit and a computationresult of the third computation unit as

[F41]

f′ _(χ,S)(Q)=F _(3χ,Z) _(Z) (Z _(Q)){l ₅ ·l ₆}^(p) ⁵ ·l ₇ ·l ₈; and

a fifth computation unit which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F42]

e(S, Q)=f′ _(χ,S)(Q)^((p) ⁸ ^(−1)/r).

According to a further aspect of the present invention, there isprovided a pairing computation method, in which, as described in claim11,

an elliptic curve is given as y²=x³+ax, a∈F_(p), letting an embeddingdegree be 8, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)⁸, E[r] be a set of rational points having a prime order r, and φ_(p) bea Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as a non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ⁸/(F* _(p) ⁸)^(r)),

an electronic computer which includes a CPU computes the pairing e (S,Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable, Z_(S) be a setof rational points S and p³S, Z_(Q) be a set of rational points p³Q andQ, and F_(3χ,ZS)(Z_(Q)) be a rational function which is calculated usingMiller's algorithm with respect to multi-pairing (MMA),

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=9χ⁴+12χ³+8χ²+4χ+1,

t(χ)=−9χ³−3χ²−2χ,

and a representation of the integer variable χ using p² and p³ with p asa characteristic is

p³≡p²+3χ+1(modr(χ))

the pairing computation method comprises:

an input step which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers bycausing the CPU of the electronic computer to function as an input unit;

a first computation step which computes F_(3χ,ZS)(Z_(Q)) by causing theCPU of the electronic computer to function as a first computation unit;

a second computation step which computes respective rational pointsp²(S), p²(p³S), (3χ+1)S, (3χ+1)p³S in order using previously obtainedresults by causing the CPU of the electronic computer to function as asecond computation unit;

a third computation step which respectively computes a value l₅ at arational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (3χS, S), a value l₆ at the rational point Q(x_(Q),y_(Q)) of a straight line passing through rational points (p²(S),(3χ+1)S), a value l₇ at the rational point Q(x_(Q), y_(Q)) of a straightline passing through rational points (3χp³S,p³S), and a value l₈ at therational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p²(p³S), (3χ+1)p³S) by causing the CPU of theelectronic computer to function as a third computation unit;

a fourth computation step which computes f′ _(χ,S)(Q) using saidF_(3χ,ZS)(Z_(Q)) and said values ₅, l₆, l₇, l₈ as

[F43]

f′ ^(χ,S)(Q)=F _(3χ,Z) _(S) (Z _(Q)){l ₅ ·l ₆}^(p) ⁸ ·l ₇ ·l ₈

by causing the CPU of the electronic computer to function as a fourthcomputation unit; and

a fifth computation step which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F44]

e(S, Q)=f′ _(χ,S)(Q)^((p) ⁸ ^(−1)/r)

by causing the CPU of the electronic computer to function as a fifthcomputation unit.

According to a further aspect of the present invention, there isprovided a pairing computation program, in which, as described in claim12,

an elliptic curve is given as y²=x³+ax, a∈F_(p), letting an embeddingdegree be 8, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)⁸, E[r] be a set of rational points having a prime order r, and φ_(p) bea Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φp−[p]),

as a non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ⁸/(F* _(p) ⁸)^(r),

the pairing computation program causes an electronic computer whichincludes a CPU to compute the pairing e(S, Q), by letting S∈G₁, Q∈G₂, χbe a given integer variable, Z_(S) be a set of rational points S andp³S, Z_(Q) be a set of rational points p³Q and Q, and F_(3χ, ZS)(Z_(Q))be a rational function which is calculated using Miller's algorithm withrespect to multi-pairing (MMA),

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=9χ⁴+12χ³+8χ²+4χ+1,

t(χ)=−9χ³−3χ²−2χ,

and a representation of the integer variable χ using p² and p³ with p asa characteristic is

p³≡p²+3χ+1(modr(χ))

the pairing computation program causes the CPU of the electroniccomputer to function as:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a first computation unit which computes F_(3χ, ZS)(Z_(Q));

a second computation unit which computes respective rational pointsp²(S), p²(p³S), (3χ+1)S, (3χ+1)p³S in order using previously obtainedresults;

a third computation unit which respectively computes a value l₅ at arational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (3χS, S), a value l₆ at the rational point Q(x_(Q),y_(Q)) of a straight line passing through rational points (p²(S),(3χ+1)S), a value l₇ at the rational point Q(x_(Q), y_(Q)) of a straightline passing through rational points (3χp³S, p³S), and a value l₈ at therational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p²(p³S), (3χ+1)p³S);

a fourth computation unit which computes f′ χ,S(Q) using saidF_(3χ,ZS)(Z_(Q)) and said values l₅, l₅, l₇, l₈ as

[F45]

f′ _(χ,S)(Q)=F _(3χ,Z) _(S) (Z _(Q)){l ₅ ·l ₆}^(p) ⁵ ·l ₇ ·l ₈; and

a fifth computation unit which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F46]

e(S, Q)=f′ _(χ,S)(Q)^(p) ⁸ ^(−1)/r).

According to a further aspect of the present invention, there isprovided a pairing computation device, in which, as described in claim13,

an elliptic curve is given as y²=x³+ax+b, a∈F_(p), b∈F_(p), letting k bean embedding degree, E be an additive group constituted of rationalpoints on the pairing enabled elliptic curve defined over an extensionfield F_(p) ^(k), E[r] be a set of rational points having a prime orderr, and φ_(p) be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E [r]∩Ker(^(SM) _(p) −[p]),

as a non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ^(k)/(F* _(p) ^(k))^(r),

the pairing computation device comprises a CPU which computes thepairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable,and f be a rational function which is calculated using Miller'salgorithm,

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified preliminarily according to the embedding degree k using theinteger variable χ, and

the CPU includes:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a computation unit which computes f;

a computation unit which computes a value of a straight line passingthrough given rational points at a rational point Q(x_(Q), y_(Q));

a computation unit which computes f′ _(χ,S)(Q) using said f and saidvalue; and

a computation unit which computes the pairing e (S, Q) using said f′_(χ,S)(Q) as

[F47]

e(S, Q)=f′ _(χ,S)(Q)^((p) ^(k) ^(−1)/r).

According to a further aspect of the present invention, there isprovided a pairing computation method, in which, as described in claim14,

an elliptic curve is given as y²=x4ax+b, a∈F_(p), b∈F_(p), letting k bean embedding degree, E be an additive group constituted of rationalpoints on the pairing enabled elliptic curve defined over an extensionfield F_(p) ^(k), E[r] be a set of rational points having a prime orderr, and φ_(p) be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]109 Ker(φ_(p) −[p]),

as non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ^(k)/(F* _(p) ^(k))^(r),

an electronic computer which includes a CPU computes the pairing e (S,Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable, and f be arational function which is calculated using Miller's algorithm,

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified preliminarily according to the embedding degree k using theinteger variable χ, and

the pairing computation method comprises:

a step of inputting the integer variable χ, the rational point S, andthe rational point Q into respective predetermined registers by causingthe CPU of the electronic computer to function as an input unit;

a step of computing f by causing the CPU of the electronic computer tofunction as a computation unit;

a step of computing a value of a straight line passing through givenrational points at a rational point Q(x_(Q), y_(Q)) by causing the CPUof the electronic computer to function as a computation unit;

a step of computing f′ _(χ,S)(Q) using said f and said value by causingthe CPU of the electronic computer to function as a computation unit;and

a step of computing the pairing e(S, Q) using said f′ _(χ,S)(Q) as

[F48]

e(S, Q)=f′ _(χ,S)(Q)^((p) ^(k) ^(−1)/r)

by causing the CPU of the electronic computer to function as acomputation unit.

According to a further aspect of the present invention, there isprovided a pairing computation program in which, as described in claim15,

an elliptic curve is given as y²=x³+ax+b, a∈F_(p), b∈F_(p), letting k bean embedding degree, E be an additive group constituted of rationalpoints on the pairing enabled elliptic curve defined over an extensionfield F_(p) ^(k), E[r] be a set of rational points having a prime orderr, and φ_(p) be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ^(k)/(F* _(p) ^(k))^(r),

the pairing computation program causes an electronic computer whichincludes a CPU to compute the pairing e(S, Q), by letting S∈G₁, Q∈G₂, χbe a given integer variable, and f be a rational function which iscalculated using Miller's algorithm,

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified preliminarily according to the embedding degree k using theinteger variable χ, and

the pairing computation program causes the CPU of the electroniccomputer to function as:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a computation unit which computes f;

a computation unit which computes a value of a straight line passingthrough given rational points at a rational point Q(x_(Q), y_(Q));

a computation unit which computes f′ _(χ,S)(Q) using said f and saidvalue; and

a computation unit which computes the pairing e (S, Q) using said f′_(χ,S)(Q) as

[F49]

e(S, Q)=f′ _(χ,S)(Q)^((p) ^(k) ^(−1)/r).

According to a further aspect of the present invention, there isprovided a pairing computation device, in which, as described in claim16,

an elliptic curve is given as y²=x³+b, b∈F_(p), letting an embeddingdegree be 12, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)¹², E[r] be a set of rational points having a prime order r, and φ_(p)be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as a non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ¹²/(F* _(p) ¹²)^(r),

the pairing computation device comprises a CPU which computes thepairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable,f_(2χ,S)(Q) be a rational function which is calculated using Miller'salgorithm,

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=36χ⁴−36χ³+18χ²−6χ+1,

t(χ)=6χ²+1,

a representation of the integer variable χ using p¹⁰ with p as acharacteristic is

p≡(2χ−1)p¹⁰+2χ(modr(χ)) and

the CPU includes:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a first computation unit which computes f_(2χ,S)(Q) and f_(2χ,pS)(Q);

a second computation unit which computes given rational points using 2χSand 2χpS which are calculated when computing said f_(2χ,S)(Q) andf_(2χ,pS)(Q);

a third computation unit which computes a value at a rational pointQ(x_(Q), y_(Q)) of a straight line passing through the given rationalpoints;

a fourth computation unit which computes f′ _(χ,S)(Q) using saidf_(2χ,S)(Q) and said value; and

a fifth computation unit which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F50]

e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r).

In particular, the pairing computation device is characterized in that

the second computation unit computes respective rational points −S,(2χ−1)S, p¹⁰((2χ−1)S), −pS, (2χ−1)pS, p¹⁰((2χ−1)pS in order usingpreviously obtained results,

the third computation unit respectively computes a value l₁ at arational point Q (x_(Q), y_(Q)) of a straight line passing throughrational points ((2 χ−1)S, −S), a value l₂ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points(p¹⁰((2χ−1)S ), 2χS), a value l₃ at the rational point Q (x_(Q), y_(Q))of a straight line passing through rational points ((2χ−1)pS, −pS), anda value l₄ at the rational point Q(x_(Q), y_(Q)) of a straight linepassing through rational points (p¹⁰((2χ−1) pS), 2χpS), and

the fourth computation unit computes f′ _(χ,S)(Q) using the values ofthe rational point Q (x_(Q), y_(Q)) l₁, l₂, l₃, l₄ as

[F51]

f′ _(χ,S)(Q)=({f _(2χ,S)(Q)·l ₁ ⁻¹}^(p) ¹⁰ ·f _(2χ,S)(Q)·l ₂)^(p) ·{f_(2χ,pS)(Q)·l ₃ ⁻¹}^(p) ¹⁰ ·f _(2χ,pS)(Q)·l ₄.

According to a further aspect of the present invention, there isprovided a pairing computation method, in which, as described in claim18,

an elliptic curve is given as y²=x³+b, b∈F_(p), letting an embeddingdegree be 12, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)¹², E[r] be a set of rational points having a prime order r, and φ_(p)be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ¹²/(F* _(p) ¹²)^(r),

an electronic computer which includes a CPU computes the pairing e (S,Q), by letting S∈G_(I), Q∈G₂, χ be a given integer variable, andf_(2χ,S)(Q) be a rational function which is calculated using Miller'salgorithm,

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=36χ⁴−36χ³+18χ²−6χ+1,

t(χ)=6χ²+1,

a representation of the integer variable χ using p¹⁰ with p as acharacteristic is

p≡(2χ−1)p¹⁰+2χ(modr(χ)), and

the pairing computation method comprises:

an input step which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers bycausing the CPU of the electronic computer to function as an input unit;

a first computation step which computes f_(2χ,S)(Q) and f_(2χ,pS)(Q) bycausing the CPU of the electronic computer to function as a firstcomputation unit;

a second computation step which computes given rational points using 2χSand 2χpS which are calculated when computing said f_(2χ,S)(Q) andf_(2χ,pS)(Q) by causing the CPU of the electronic computer to functionas a second computation unit;

a third computation step which computes a value at a rational point Q(x_(Q), y_(Q)) of a straight line passing through the given rationalpoints by causing the CPU of the electronic computer to function as athird computation unit;

a fourth computation step which computes f′ _(χ,S)(Q) using saidf_(2χ,S)(Q) and said value by causing the CPU of the electronic computerto function as a fourth computation unit; and

a fifth computation step which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F52]

e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r),

by causing the CPU of the electronic computer to function as a fifthcomputation unit.

In particular, the pairing computation method is characterized in that

the second computation step computes respective rational points −S,(2χ−1)S, p¹⁰((2χ−1)S), −pS, (2χ−1)pS, p¹⁰((2χ−1)pS in order usingpreviously obtained results,

the third computation step respectively computes a value l₁ at arational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points ((2 χ−1)S, −S), a value l₂ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points(p¹⁰((2χ−1)S), 2χS), a value l₃ at the rational point Q (x_(Q), y_(Q))of a straight line passing through rational points ((2χ−1) pS, −pS), anda value l₄ at the rational point Q(x_(Q), y_(Q)) of a straight linepassing through rational points (p¹⁰((2χ−1)pS), 2χpS), and

the fourth computation step computes f′ _(χ,S)(Q) using the values ofthe rational point Q (x_(Q), y_(Q)) l₁, l₂, l₃, l₄ as

f′ _(χ,S)(Q)=({f _(2χ,S)(Q)·l ₁ ⁻¹}^(p) ¹⁰ ·f _(2χ,S)(Q)·l ₂)^(p) ·{f_(2χ,pS)(Q)·l ₃ ⁻¹}^(p) ¹⁰ ·f _(2χ,pS)(Q)·l ₄.

According to a further aspect of the present invention, there isprovided a pairing computation program, in which, as described in claim20,

an elliptic curve is given as y²=x³b, b∈F_(p), letting an embeddingdegree be 12, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)¹², E[r] be a set of rational points having a prime order r, and φ_(p)be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ¹²/(F* _(p) ¹²)^(r), and

the pairing computation program causes an electronic computer whichincludes a CPU to compute the pairing e(S, Q), by letting S∈G₁, Q∈G₂, χbe a given integer variable, and f_(2χ,S)(Q) ^(and f) _(2χ,pS)(Q) be arational function which is calculated using Miller's algorithm,

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=36χ⁴−36χ³+18χ²−6χ+1,

t(χ)=6χ²+1,

a representation of the integer variable χ using p¹⁰ with p as acharacteristic is

p≡(2χ−1)p¹⁰+2χ(modr(χ)), and

the pairing computation program causes the CPU of the electroniccomputer to function as:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a first computation unit which computes f_(2χ, S)(Q) and f_(2χ,ps)(Q);

a second computation unit which computes given rational points using 2χSand 2χpS which are calculated when computing said f_(2χ,S)(Q) andf_(2χ,pS)(Q);

a third computation unit which computes a value at a rational pointQ(x_(Q), y_(Q)) of a straight line passing through the given rationalpoints;

a fourth computation unit which computes f′ _(χ,S)(Q) using saidf_(2χ, S)(Q) and said value; and

a fifth computation unit which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F54]

e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r).

In particular, the pairing computation program is characterized in that

the pairing computation program causes:

the CPU of the electronic computer which functions as the secondcomputation unit to compute respective rational points —S, (2χ−1)S,p¹⁰((2 χ−1)S), −pS, (2χ−1)pS, p¹⁰((2χ−1)pS) in order using previouslyobtained results;

the CPU of the electronic computer which functions as the thirdcomputation unit to respectively compute a value l₁ at a rational pointQ (x_(Q), y_(Q)) of a straight line passing through rational points((2χ−1)S, −S), a value l₂ at the rational point Q(x_(Q), y_(Q)) of astraight line passing through rational points (p¹⁰((2χ−1)S), 2χS), avalue l₃ at the rational point Q (x_(Q), y_(Q)) of a straight linepassing through rational points ((2χ−1)pS, −pS), and a value l₄ at therational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p¹⁰((2χ−1)pS), 2χpS); and

the CPU of the electronic computer which functions as the fourthcomputation unit to compute f′ _(χ,S)(Q) using the values at therational point Q (x_(Q), y_(Q)) l₁, l₂, l₃, l₄ as

[F55]

f′ _(χ,S)(Q)=({f _(2χ,S)(Q)·l ₁ ⁻¹}^(p) ¹⁰ ·f _(2χ,S)(Q)·l ₂)^(p) ·{f_(2χ,pS)(Q)·l ₃ ⁻¹}^(p) ¹⁰ ·f _(2χ,pS)(Q)·l ₄.

According to a further aspect of the present invention, there isprovided a pairing computation device, in which, as described in claim22,

an elliptic curve is given as y²=x³+ax, a∈F_(p), letting an embeddingdegree be 8, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)⁸, E[r] be a set of rational points having a prime order r, and φ_(p) bea Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ⁸/(F* _(p) ⁸)^(r), and

the pairing computation device comprises a CPU which computes thepairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable,and f_(3χ,S)(Q) be a rational function which is calculated usingMiller's algorithm,

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=9χ⁴+12χ³+8χ²+4χ+1,

t(χ)=−9χ³−3χ²−2χ,

a representation of the integer variable χ using p² and p³ with p as acharacteristic is

p³≡p²+3χ+1(modr(χ)) and

the CPU includes:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a first computation unit which computes f_(3χ,S)(Q) and f_(3χ,p̂3S)(Q);

a second computation unit which computes respective rational pointsp²(S), (3χ+1)S, p²(p³S), (3χ+1)p³S in order using previously obtainedresults;

a third computation unit respectively computes a value l₅ at a rationalpoint Q (x_(Q), y_(Q)) of a straight line passing through rationalpoints (3χS, S), a value l₆ at the rational point Q (x_(Q), y_(Q)) of astraight line passing through rational points (p²(S), (3χ+1)S), a valuel₇ at the rational point Q (x_(Q), y_(Q)) of a straight line passingthrough rational points (3χp³S, p³S), and a value l₈ at the rationalpoint Q(x_(Q), y_(Q)) of a straight line passing through rational points(p² (p³S), (3χ+1)p³S); and

the fourth computation unit which computes f′ _(χ,S)(Q) using thecomputation result of the first computation unit and the computationresult of the third computation unit as

[F56 ]

f′ _(χ,S)(Q)=(f _(3χ,S)(Q)·l ₅ ·l ₆)^(p) ⁵ f _(3χ,p) 3 _(S)(Q)·l ₇ ·l ₈;and

a fifth computation unit which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F57]

e(S, Q)=f′ _(χ,S)(Q)^((p) ⁹ ^(−1)/r).

According to a further aspect of the present invention, there isprovided a pairing computation method, in which, as described in claim23,

an elliptic curve is given as y²=x³+ax, aÅF_(p), letting an embeddingdegree be 8, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)⁸, E[r] be a set of rational points having a prime order r, and φ_(p) bea Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ⁸/(F* _(p) ⁹)^(r),

an electronic computer which includes a CPU computes the pairing e(S,Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable, andf_(3χ, S)(Q) be a rational function which is calculated using Miller'salgorithm,

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=9χ⁴+12χ³+8χ²+4χ+1,

t(χ)=−9χ³−3χ²−2χ,

a representation of the integer variable χ using p² and p³ with p as acharacteristic is

p³≡p²+3χ+1(modr(χ)) and

the pairing computation method comprises:

an input step which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers bycausing the CPU of the electronic computer to function as an input unit;

a first computation step which computes f_(3χ,S)(Q) and f_(3χ,p̂3S)(Q) bycausing the CPU of the electronic computer to function as a firstcomputation unit;

a second computation step which computes respective rational pointsp²(S), (3χ+1)S, p²(p³S), (3χ+1)p³S in order using previously obtainedresults by causing the CPU of the electronic computer to function as asecond computation unit;

a third computation step which respectively computes a value l₅ at arational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (3χS, S), a value l₆ at the rational point Q(x_(Q),y_(Q)) of a straight line passing through rational points (p²(S),(3χ+1)S), a value l₇ at the rational point Q(x_(Q), y_(Q)) of a straightline passing through rational points (3χp³S, p³S), and a value l₈ at therational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p²(p³S), (3χ+1)p³S) by causing the CPU of theelectronic computer to function as a third computation unit; and

a fourth computation step which computes f′ _(χ,S)(Q) using the valuesl₅, l₆, l₇, l₈ as

[F58]

f′ _(χ,S)(Q)=(f _(3χ,S)(Q)·l ₅ ·l ₆)^(pds 3) f _(3χ,p3) _(S)(Q)·l ₇ ·l₈;

by causing the CPU of the electronic computer to function as a fourthcomputation unit; and

a fifth computation step which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F59]

e(S, Q)=f _(χ,S)(Q)^((p) ⁸ ^(−1)/r)

by causing the CPU of the electronic computer to function as a fifthcomputation unit.

According to a further aspect of the present invention, there isprovided a pairing computation program, in which, as described in claim24,

an elliptic curve is given as y²=x³+ax, a∈F_(p), letting an embeddingdegree be 8, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)⁸, E[r] be a set of rational points having a prime order r, and φ_(p) bea Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ⁸/(F* _(p) ⁸)^(r),

the pairing computation program causes an electronic computer whichincludes a CPU to compute the pairing e (S, Q), by letting S∈G₁, Q∈G₂, χbe a given integer variable, and f_(3χ,S)(Q) be a rational functionwhich is calculated using Miller's algorithm,

the order r and a trace t of the Frobenius endomorphism φ_(p) arespecified using the integer variable χ as,

r(χ)=9χ⁴+12χ³+8χ²+4χ+1,

t(χ)=−9χ³−3χ²−2χ,

a representation of the integer variable χ using p² and p³ with p as acharacteristic is

p³≡p²+3χ+1(modr(χ)) and

the pairing computation program causes the CPU of the electroniccomputer to function as:

an input unit which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers;

a first computation unit which computes f_(3χ,S)(Q) and f_(3χ,p̂S)(Q);

a second computation unit which computes respective rational pointsp²(S), (3χ+1)S, p²(p³S), (3χ+1)p′S in order using previously obtainedresults;

a third computation unit which respectively computes a value l₅ at arational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (3χS, S), a value l₆ at the rational point Q(x_(Q),y_(Q)) of a straight line passing through rational points (p²(S),(3χ+1)S), a value l₇ at the rational point Q(x_(Q), y_(Q)) of a straightline passing through rational points (3χp³S, p³S), and a value l₈ at therational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p²(p³S), (3χ+1)p³S); and

a fourth computation unit which computes f′ _(χ,S)(Q) using the valuesl₅, l₆, l₇, l₈ as

[F60]

f′ _(χ,S)(Q)=(f _(2χ,S)(Q)·l ₅ ·l ₆)^(p) ⁸ f _(3χ,p) ₈ _(S)(Q)·l ₇ ·l ₈;and

a fifth computation unit which computes the pairing e(S, Q) using saidf′ _(χ,S)(Q) as

[F61]

e(S, Q)=f _(χ,S)(Q)^((p) ⁸ ^(−1)/r).

According to the present invention, it is possible to calculate arational function at high speed by making the rational function afunction of an integer variable χ, thus enabling high speed pairingcomputation.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of a pairing computation device accordingto an embodiment of the present invention;

FIG. 2 is a flowchart of a Twisted Xate pairing computation programaccording to the embodiment of the present invention;

FIG. 3 is a flowchart for computing a rational function f_(2χ,S)(Q);

FIG. 4 is a flowchart of the Twisted Xate pairing computation programaccording to the embodiment of the present invention;

FIG. 5 is a flowchart of the Twisted Xate multi-pairing computationprogram according to the embodiment of the present invention;

FIG. 6 is a flowchart for computing a rational functionF_(2χ,ZS)(Z_(Q));

FIG. 7 is a flowchart of a Twisted Xate multi-pairing computationprogram according to the embodiment of the present invention; and

FIG. 8 is a calculation flow in a case where a thread calculation isapplied to the Twisted Xate pairing according to the embodiment of thepresent invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

In a pairing computation device, a pairing computation method and apairing computation program according to the present invention, out of afirst step which computes a rational function using Miller's algorithmin pairing computation and a second step which performs exponentiationof a result of the computation, the first step computes the rationalfunction using an integer variable χ, thereby speeding up the pairingcomputation.

That is, in a conventional pairing computation, in which

an elliptic curve is given as y²=x³+ax+b, a∈F_(p), b∈F_(p), letting k bean embedding degree, E be an additive group constituted of rationalpoints on the pairing enabled elliptic curve defined over an extensionfield F_(p) ^(k), E[r] be a set of rational points having a prime orderr, and φ_(p) be a Frobenius endomorphism, a pairing e is defined using

G ₁ =E[r]∩Ker(φ_(p)−[1]),

G ₂ =E[r]∩Ker(φ_(p) −[p]),

as non-degenerate bilinear map

e:G ₁ ×G ₂ →F* _(p) ^(k)/(F* _(p) ^(k))^(r),

a pairing α(S, Q) is computed, using S∈G₁, Q∈G₂, a given integervariable χ, and a rational function f_((t−1)̂2,S)(Q) which is calculatedusing Miller's algorithm, as

[F62]

α(S, Q)=f _((t−1))Z,_(S)(Q)^((p) ^(k) ^(−1)/r).

This is known as Twisted Ate pairing.

On the other hand, the inventors have found out a new pairing whichenables fast pairing computation as a non-degenerate bilinear map byusing an integer variable χ on an elliptic curve as below

e:G ₁ ×G ₂ →F* _(p) ^(k)/(F* _(p) ^(k))^(r).

This pairing is hereinafter referred to as “Twisted Xate pairing” .Further, it is possible to perform further faster pairing computation byapplying multi-pairing technique which calculates a plurality of pairingproducts. This pairing is hereinafter referred to as “Twisted Xatemulti-pairing” That is, the pairing computation device, the pairingcomputation method, and the pairing computation program all according tothe present invention make it possible to perform fast pairingcomputation by using Twisted Xate pairing and Twisted Xatemulti-pairing.

In particular, elliptic curves have been known as pairing friendlycurves according to embedding degrees respectively. For example, when anembedding degree is 12, there has been known that an order r and a tracet of the Frobenius endomorphism φ_(p) are expressed using a integervariable χ as

r(χ)=36χ⁴−36χ³+18χ²−6χ+1,

t(χ)=6χ²+1.

Further, when the embedding degree is 8, there has been known that r (χ)and t (χ) are expressed as

r(χ)=9χ⁴+12χ³+8χ²+4χ+1,

t(χ)=−9χ³−3χ²−2χ.

Hereinafter, a case where an embedding degree is 12 is explained as anexample. Accordingly, as mentioned above,

r(χ)=36χ⁴−36χ³+18χ²−6χ+1   (Equation 1)

t(χ)=6χ²+1   (Equation 2)

From (Equation 2),

6χ²≡t−1≡p(mod r)   (Equation 3)

Here, it is used that a characteristic p is expressed as

p=r+t−1   (Equation 4)

Accordingly, (Equation 1) is transformed as

p²−6χp+3p−6χ+1≡0(mod r)

(−6χ+3)p≡−p²+6χ−1(mod r)   (Equation 5)

By squaring both sides of (Equation 5), the following equation isobtained.

(6χ−3)²p²≡(p²−6χ+1)²(mod r)

36χ²p²−36χp²+9p²≡p⁴−12χp²+2p²+36χ²−12χ+1(mod r)   (Equation 6)

Here, from already known relation equation p⁴+1≡p²(mod r),

36χ²p²−36χp³+9p²≡−12χp²+3p²+36χ²−12χ(mod r),

36χ²(p²−1)≡(24χ−6)p²−12χ(mod r),

6χ²(p²−1)≡(4χ−1)p²−2χ(mod r)   (Equation 7)

are obtained and by multiplying both sides of (Equation 7) by (p²−1)⁻¹

6χ²≡−(4χ−1)p⁴+2χp²   (Equation 8)

is obtained. Here, (p²−1)⁻¹ can be obtained based on relation equationof p⁴−p²+1≡0(mod r) and gcd(p⁴−p²+1, p²−1)=1, as follows.

p⁴−p²+1≡0(mod r)

−p²(p²−1)≡1(mod r)

(p²−1)⁻¹≡−p²(mod r)   (Equation 9)

From the relation equation p²≡p⁴+1(mod r),

$\begin{matrix}\begin{matrix}{{6x^{2}} \equiv {{{- ( {{4x} - 1} )}p^{4}} + {2{x( {p^{4} + 1} )}}}} \\{\equiv {{{- ( {{2x} - 1} )}p^{4}} + {2x\; ( {{mod}\; r} )}}}\end{matrix} & ( {{Equation}\mspace{14mu} 10} )\end{matrix}$

is obtained. Based on (Equation 3) and p⁶≡−1(mod r),

p≡(2χ−1)p¹⁰+2χ  (Equation 11)

is obtained.

Next, a rational function f_((t−1)̂2 mod r,S)(·) of Twisted Ate pairingis considered. In particular, from (Equation 3),

[F63]

f _(p) _(Z) _(mod r,S) =f _((t−1)) _(Z) _(mod r,S)   (Equation 12)

Here, S∈G₁ and with respect to Q∈G₂,

[F64]

f _(p) _(Z) _(mod r,S)(Q)^((p) ¹² ^(−1)/r) =f _((t−1) _(Z) _(,S)(Q)^((p)¹² ^(−1)/r)=α(S, Q)   (Equation 13)

Further, a rational function has relationships as follows.

f _(a+b,S) =f _(a,S) ·f _(b,S) ·g _(aS,bS),   (Equation 14a)

f _(a−b,S) =f _(a,S) ·{f _(b,S) ·g _((a−b)S,bS)}⁻¹   (Equation 14b)

f _(ab,S) =f ^(a) _(b,S) ·f _(a,bS) =f ^(b) _(a,S) ·f _(b,aS)  (Equation 14c)

Here, g_(aS,bS)=_(aS,bS)/v_(aS+bS), and l_(aS,bS) is a value of astraight line passing through two rational points aS and bS, andv_(aS+bS) is a value of a vertical line at a rational point aS+bS. In acase of the embedding degree being an even number, calculation ofv_(aS+bS) can be omitted.Based on (Equation 14c), (Equation 12) becomes as follows.

[F65]

f _(p) _(Z) _(S) =f _(p,S) ^(p) ·f _(p,pS)   (Equation 15)

And using (Equation 11), it becomes

[F66]

f _(p,S) ^(p) ·f _(p,pS) =f _((2χ−1)p) ₁₀ _(+2χ,S) ^(p) ·f _((2χ−1)p) ₁₀_(+1χ,S)   (Equation 16)

Further, based on (Equation 14a) and (Equation 14b), it becomes

[F67]

f _(p,S) ^(p) ·f _(p,pS)=({f _(2χ,S) ·{g _((2χ−1)S,−S)}⁻¹}^(p) ¹⁰ ·f_(p) ₁₀ _(,(2χ−1)S) ·f _(2χ,S) ·g _((2χ−1)p) ₁₀ _(,2χS))^(p) ·{f_(2χ,pS) ·{g _((2χ−1)p) ₁₀ _(S,2χS)}⁻¹}^(p 10) ·f _(p) ₁₀ _(,(2χ−1)pS)·f _(2χ.pS) ·g _((2χ−1)p) ₁₀ _(pS,2χpS)   (Equation 17)

In addition, since in (Equation 17),

[F68]

f _(p) ₁₀ _(,(2χ−1)) ^(p) ·f _(p) ₁₀ _(,(2χ−1)pS)   (Equation 18)

has a property of bilinearity, (Equation 17) can be transformed asfollows.

[F69]

f _(p,S) ^(p) ·f _(p,pS) ·{f _(p) ₁₉ _(,(2χ−1)S) ^(p) ·f _(p) ₁₀_(,(2χ−1)pS)}⁻¹=({f _(2χS) ·{g _((2χ−1)S,−S)}⁻¹}^(p) ¹⁰ ·f _(2χ,S) ·g_((2χ−1)p) ₁₀ _(S,2χS))^(p) ·{f _(2χ,pS) ·{g _((2χ−1)pS,−pS)}⁻¹}^(p) ¹⁰·f _(2χ,pS) ·g _((2χ−1) p) ¹⁰ _(pS,2χpS)   (Equation 19)

Here, that the left hand side of (Equation 19) has a property ofbilinearity brought the inventors to the fact that the right hand sideof (Equation 19) also has a property of bilinearity. Accordingly, theinventors have found out Twisted Xate pairing which, using the righthand side of (Equation 19) as a new rational function f′ _(χ,S)(·),computes pairing e(S, Q) as

[F70]

e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r)   (Equation 20).

In this Twisted Xate pairing, it is possible to obtain f′ _(χ,S)(Q) athigh speed by calculating f_(2χ,S)(Q) and f_(2χ,pS)(Q) using an integervariable χ which has a smaller size than (t−1)² mod r in a computationusing Miller's algorithm. However, since two rational points used inthese two computations using Miller's algorithm are differentrespectively, usually (Equation 19) is calculated as follows.

Given F₁, F₂ as

[F71]

F ₁ {f _(2χ,S) ·{g _((2χ−1)S,−S)}⁻¹}^(p) ¹⁰ ·f _(2χS) ·g _((2χ−1)p) ₁₀_(S,2χS)   (Equation 21)

[F72]

F ₂ ={g _(2χ,pS) ·{g _((2χ−1)pS,−pS)}⁻¹}^(p) ¹⁰ ·f _(2χ,pS) ·g_((2χ−1)p) ¹⁰ _(pS,2χps)   (Equation 22)

(Equation 19) can be expressed as f′ _(χ,S)=F₁ ^(p)·F₂ using F₁ and F₂.Since rational point pS which is necessary for calculating F₂ isobtained in the course of calculating F₁, F₁ is calculated first andnext, F₂ is calculated. In this case, a repetition count of Miller'salgorithm becomes

2[ log_(2χ)]≈(½)[ log₂r].

A basic idea of the present invention is to make F₁ and F₂ mutuallyindependent calculations by calculating pS preliminarily. Due to this,Twisted Xate pairing according to the present invention can realizeparallel processing. To be more specific, in an environment where amulti-pairing which enables parallel processing of a plurality ofMiller's algorithm calculations and a CPU having a plurality of corescan be used, thread calculation can be applicable.

<Application of Thread Calculation>

pS can be calculated at high speed by means of a scalar multiplicationto an extent of (¼) [ log₂r] from (Equation 11).

By preliminarily calculating pS, F₁ and F₂ become mutually independentcalculations. Accordingly, in an environment where a CPU having aplurality of cores can be used, parallel processing can be realized byassigning calculations of F₁ and F₂ to respective different cores. FIG.8 shows a calculation flow in a case where a thread calculation isapplied. In this case, a repetition count of Miller's algorithmsubstantially becomes (¼) [ log₂r] from (Equation 21) and (Equation 22).

<Application of Multi-Pairing>

Further, the right hand side of (Equation 19) can be transformed into

{f _(2χ,S) ^(p) ·f _(2χ,pS) ·{g _((2χ−1)S,−S) ^(p) ·g_((2χ−1)pS,−pS)}⁻¹}^(p) ¹⁰ ·f _(2χ,S) ^(p) ·f _(2χ,pS) ·g _((2χ−1)p) ₁₀_(S,2χS) ^(p) ·g _((2χ−1)pS,2χpS)   (Equation 23)

From (Equation 23), it is realized that the main calculation of TwistedXate pairing is A=f^(p) _(2χ,S)·f_(2χ,pS). In general, to calculate A,f_(2χ,S) is calculated first using Miller's algorithm a repetition countof which is given as 2χ, and then, f_(2χ,pS) is calculated. And, A isobtained by taking a product of the two. Here, f^(p) _(2χ,S) can beobtained at an extremely small calculation cost by means of theFrobenius endomorphism. Therefore, since Miller's algorithm a repetitioncount of which is given as (¼) [ log₂r] is performed twice, thecalculation cost of processing of Twisted Xate pairing by means ofMiller's algorithm is given as (½) [ log₂r]. The present invention ischaracterized in that A is obtained by means of Miller's algorithm withrespect to multi-pairing (MMA), although in general, A is obtained byindependently calculating Miller's algorithm. Using the next relationalexpression,

[F74]

f _(r,S)(Q)^(p) =f _(r,S)(pQ),

A becomes as below.

[F75]

A=f _(2χ,S)(pQ)·f _(23χ,pS)(Q).

By giving A in this way, it can be thought that the calculation of A isa multi-pairing which calculates a product of two pairings. Accordingly,by applying MMA, (Equation 23) can be calculated as follows.

[F76]

f′ _(χ,S)(Q)={F _(2χ, Z) _(S) (Z _(Q))·{g_((2χ−1)S,−S) ^(p) ·g_((2χ−1)pS,−pS)}⁻¹}^(p) ¹⁰ ·F _(2χ,Z) _(S) (Z _(Q))·g _((2χ−1)p) ₁₀_(S,2χS) ^(p) ·g _((2χ−1)pS,2χpS)   (Equation 26)

Here, F_(2χ,ZS) is obtained by giving 2χ to a repetition count of MMAalgorithm and by giving Z_(S) and Z_(Q) the following equationsrespectively.

Z_(S)={S, pS}  (Equation 27)

Z_(Q)={pQ, Q}  (Equation 28)

By calculating in this way, it becomes possible to reduce the number ofsquare operations over F_(p) ¹² in Miller's algorithm and the number ofinverse element calculations over F_(p) required for elliptic additionand elliptic doubling to ½ as compared with a case where thecalculations by means of Miller's algorithm are performed independently.Here, from (Equation 27) and (Equation 28), pS and pQ are required to bepreliminarily calculated for applying MMA to the calculation of A. SincepS can be calculated at high speed by means of scalar multiplication toan extent of (¼) [ log₂r] from (Equation 11) and pQ is obtained by meansof the Frobenius endomorphism, a calculation cost required for applyingthe present invention is extremely smaller than a calculation cost whichcan be reduced by applying MMA.

Heretofore, an explanation is made in a case where an embedding degreeis 12. An explanation in a case where the above mentioned embeddingdegree is 8 is basically the same and hence, detailed explanation isomitted.

Hereinafter, an embodiment of the Twisted Xate pairing in a case wherethe embedding degree is 12 is explained in detail. In addition, in thepresent embodiment, digital group signature is assumed and anauthentication server constituted of required electronic computer isassumed to be a pairing computation device. However, a pairingcomputation device is not limited to a case where the pairingcomputation device is constituted of an authentication server. Provideda device includes at least an arithmetic means such as a CPU and canperform pairing computation, any device may be used as the pairingcomputation device.

As shown in FIG. 1, an electronic computer 10 which constitutes anauthentication server includes: a CPU 11; a storage unit 12 such as ahard disk which stores various kinds of programs such as a pairingcomputation program, data which is used by the pairing computationprogram and the like; a memory unit 13 which expands the pairingcomputation program and makes it executable, temporarily stores datagenerated in the course of execution of the pairing computation programand is constituted of such as a RAM. In FIG. 1, numeral 14 is a bus.

Further, the electronic computer 10 is connected to a telecommunicationline 20 such as the Internet and is configured to be able to receivesignature data of digital group signature transmitted from a clientdevice 30 which is connected the telecommunication line 20. In FIG. 1,numeral 15 is an input output control part of the electronic computer10.

The electronic computer 10, when signature data of the digital groupsignature is transmitted from the client device 30, stores temporarilythe transmitted signature data in the memory unit 13, starts a pairingcomputation program and performs pairing computation.

That is, the electronic computer 10, by means of the started pairingcomputation program, performs pairing computation based on a flowchartshown in FIG. 2 and realizes the digital group signature. Here, anauthentication processing in the digital group signature is notexplained in detail and only the pairing computation as a subroutineprocessing in the authentication processing is explained in detail.

The electronic computer 10, causing the CPU 11 to function as an inputunit by means of the started pairing computation program, inputs data ofan integer variable χ and data of a rational point S both of which arestored preliminarily in the memory unit 13, and data of a rational pointQ temporarily stored in the memory unit 13 as the signature data intopredetermined registers provided inside of the CPU 11 respectively.(Step S1).

Next, the electronic computer 10, causing the CPU 11 to function as afirst computation unit by means of the pairing computation program,computes a rational function f_(2χ,S)(Q) by means of Miller's algorithmand stores a result of the computation in the memory unit 13. (Step S2).

The electronic computer 10 performs the computation of the rationalfunction f_(2χ,S)(Q) specifically as shown in FIG. 3. In particular, instep S2, the electronic computer 10 computes 2χS as well as the rationalfunction f_(2 χ,S)(Q) and stores results of the computation in thememory unit 13.

That is, firstly, the electronic computer 10, as initial setting, sets fto be 1 and T to be S and also sets the number of bits in a case ofbinary representation of the integer variable 2χ to be i (Step S21).

Next, the electronic computer 10 performs predetermined computation ofthe rational function f_(2χ,S)(Q) part in step S22, performspredetermined computation of 2χ S part in step S23, determines whetheru_(i) which is a value of i-th bit counted from the least degree of theinteger variable 2χ is “1” or “0” (Step S24) and, when u_(i)=1, furtherperforms predetermined computation of f_(2χ,S)(Q) part in step S25 andperforms predetermined computation of 2χS part in step S26.

Next, the electronic computer 10, when (Step S27), decrements i (StepS28), returns to step S22, by repeating the processing until i=1 in stepS27 computes the rational function f_(2χ,S)(Q) and 2χS, and storesresults of the computation in the memory unit 13 respectively.

Next, the electronic computer 10, causing the CPU 11 to function as asecond computation unit by means of the pairing computation program,reads a value of 2χS stored in the memory unit 13, performs computationof rational points −S, (2χ−1)S, p¹⁰((2χ−1)S) respectively and storesvalues of the respective rational points in the memory unit 13respectively. (Step S3).

Next, the electronic computer 10, causing the CPU 11 to function as athird computation unit by means of the pairing computation program,reads values of the respective rational points obtained in step S3 fromthe memory unit 13 respectively, computes l₁ which is a value at arational point Q (x_(Q), y_(Q)) of a straight line passing throughrational points ((2χ−1)S, −S) and l₂ which is a value at the rationalpoint Q (x_(Q), y_(Q)) of a straight line passing through rationalpoints (p¹⁰((2χ−1)S), 2χS) respectively, and stores values of l₁ and l₂in the memory unit 13 respectively. (Step S4).

To be more specific, the electronic computer 10 computes l=l_(A,B)(Q) as

λ_(A,B)←(y_(B)−y_(A))/(x_(B)−x_(A)),

l_(A,B)(Q)←(x_(Q)−x_(B))λ_(A,B)−(y_(Q)−y_(B)).

That is, the CPU 11 computes a gradient λ_(A,B) using xy coordinates ofpoints A and B and computes l_(A,B)(Q) using a result of the computationand xy coordinates of points Q and B, and stores a result of thecomputation in the memory unit 13.

Next, the electronic computer 10, causing the CPU 11 to function as thesecond computation unit by means of the pairing computation program,computes rational point pS (Step S5). To be more specific, theelectronic computer 10 reads values of rational points obtained in stepS2 and step S3 from the memory unit 13 and computes using these valuesas below and stores the value of pS in the memory unit 13.

pS=p ¹⁰((2χ−1)S)+2χS

Next, the electronic computer 10, causing the CPU 11 to function as thefirst computation unit by means of the pairing computation program,computes the rational function f_(2χ,pS)(Q) by means of Miller'salgorithm and stores a result of the computation in the memory unit 13.(Step S6).

The electronic computer 10 performs a computation of the rationalfunction f_(2χ,S)(Q) specifically as shown in FIG. 3. In particular, instep S6, the electronic computer 10 performs computation of 2χpS as wellas computation of the rational function f_(2χ,S)(Q) and stores a resultof the computation in the memory unit 13.

Next, the electronic computer 10, causing the CPU 11 to function as thesecond computation unit by means of the pairing computation program,reads a value of 2χpS stored in the memory unit 13, performs computationof rational points −pS, (2χ−1)pS, p¹⁰((2χ−1)pS) respectively and storesvalues of the respective rational points in the memory unit 13respectively. (Step S7).

Next, the electronic computer 10, causing the CPU 11 to function as thethird computation unit by means of the pairing computation program,reads values of the respective rational points obtained in step S7 fromthe memory unit 13 respectively, computes l₃ which is a value at therational point Q (x_(Q), y_(Q)) of a straight line passing throughrational points ((2χ−1)pS,−pS) and l₄ which is a value at the rationalpoint Q(x_(Q), y_(Q)) of a straight line passing through rational points(p¹⁰((2χ−1)pS), 2χpS) respectively, and stores values of l₃ and l₄ inthe memory unit 13 respectively. (Step S8).

Next, the electronic computer 10, causing the CPU 11 to function as afourth computation unit by means of the pairing computation program,reads a result of the computation in the first computation unit (valuesof f_(2χ,S)(Q) and f_(2χ,S)(Q)) and a result of the computation in thethird computation unit (values of l₁, l₂, and l₃, l₄) from the memoryunit 13, computes f′ _(χ,S)(Q) expressed as below, and stores a resultof the computation in the memory unit 13 (Step S9).

[F77]

f′ _(χ,S)(Q)=({f _(2χ,S) ·l ₁ ⁻¹}^(p) ¹⁰ ·f _(2χ,S) ·l ₂)^(p) ·{f_(2χ,pS) ·l ₃ ⁻¹}^(p) ¹⁰ ·f _(χ,pS) ·l ₄   (Equation 29)

To be more specific, the electronic computer 10 computes as follows.

input: SεG₁, QεG₂, 2 χ, p output: f=f’ _(χ,) _(S)(Q) procedure:  1.A←f_(2χ,) _(S) //T₁←2 χ S is obtained  2. T₂← −S  3. T₃←T₁ +T₂  4.B←g_(T3, T2)  5. B←A·B⁻¹  6. B←B

p¹⁰  7. f←B·A  8. T₄←p¹⁰T₃  9. B←g_(T4, T1) 10.  T₄←T₄ +T₁ //T₄←pS isobtained 11.  f←f·B 12.  f←f^(p) 13.  A←f_(2χ,) _(T4) //T₁←2 χ pS isobtained 14.  T₂← −T₄ 15.  T₃←T₁ +T₂ 16.  B←g_(T3, T2) 17.  C←A·B⁻¹ 18. C←C

p¹⁰ 19.  C←C·A 20.  T₄←p¹⁰T₃ 21.  B←g_(T4, T1) 22. C←C·B 23.  f←f·C 24.Return f.

That is, the CPU 11 performs respective computations in the proceduredescribed above using the memory unit 13, obtains f′ _(χ,S)(Q), andstores the value in the memory unit 13. To be more specific, in step 1,the CPU 11 obtains f_(2χ,S) by means of Miller's algorithm and assignsthe result to A and also assigns 2χS obtained simultaneously to T₁. Instep 2 and 3, the CPU 11 obtains rational points −S and (2χ−1)S, andassigns the results to T₂ and T₃ respectively. In step 4, as mentionedabove, since in a case where an embedding degree is an even number,G_(A,B) becomes l_(A,B), the CPU 11 obtains l₁ which is a value atrational point Q of a straight line passing through rational points((2_(χ−1))S, −S), and assigns the result to B. In step 5 and 6, the CPU11 obtains a { } part in ( ) of (Equation 29) and assign the result toB. In step 7, the CPU 11 obtains a product of B and A, and assigns theresult to f. In step 8, the CPU 11 obtains rational point p¹⁰((2χ−1)S)and assigns the result to T₄. In step 9, the CPU 11 obtains l₂ which isa value at rational point Q of a straight line passing through rationalpoints (p¹⁰((2χ−1)S), 2χS) and assigns the result to B. In step 10, theCPU 11 obtains pS using relationship in (Equation 11) and assigns theresult to T₄. In step 11 and 12, the CPU 11 obtains a ( ) part of(Equation 29) and assigns the result to f. In step 13, the CPU 11obtains f_(2χ,pS) by means of Miller's algorithm and assigns the resultto A, and assigns 2χpS obtained simultaneously to T₁. In step 14 and 15,the CPU 11 obtains rational points −pS and (2χ−1)pS. In step 16, the CPU11 obtains l₃ which is a value at rational point Q of a straight linepassing through rational points ((2χ−1)pS, −pS) and assigns the resultsto B. In step 17 and 18, the CPU 11 obtains a { } part accompanying ( )in (Equation 29) described above. In step 19, the CPU 11 obtains aproduct of C and A, and assigns the result to C. In step 20, the CPU 11obtains rational point p¹⁰((2χ−1)S) and assigns the result to T₄. Instep 21, the CPU 11 obtains l₄ which is a value at rational point Q of astraight line passing through rational points (p¹⁰((2χ−1)S), 2χpS) andassigns the result to B. In step 22 and 23, the CPU 11 obtains f′_(χ,S)(Q) and assigns the result to f.

Next, the electronic computer 10, causing the CPU 11 to function as afifth computation unit by means of the pairing computation program,reads a value of f′ _(χ,S)(Q) obtained in step S9 from the memory unit13, performs an exponentiation of the final exponentiation in pairinge(S, Q), and stores a result of the computation in the memory unit 13(Step S10).

To be more specific, the electronic computer 10 computes as follows andstores f′, that is, a value of e(S, Q) in the memory unit 13.

1. f’ ←f’ 

p⁶ ·f’ ⁻¹ 2. f’ ←f’ 

p² ·f’ 3. a←(f’ ⁶ ) ^(χ) · (f’ ⁵) 

p⁶ 4. b←a^(p) 5. b←a·b 6. compute f’ 

p, f’ 

p², and f’ 

p³ 7. c←b· (f’ 

p)² ·f’ 

p² 8. f’ ←f’ 

p³ · (c⁶) 

 χ² ·c·b· (f’ 

p ·f’ )⁹ ·a·f’ 

 4 9. Return f’

The electronic computer 10 which constitutes an authentication serverperforms an authentication processing using a result of the pairingcomputation obtained as mentioned above.

In the present embodiment, an explanation is made in a case where anembedding degree is 12. However, also in a case where the embeddingdegree is 8 as described in claim 22 to claim 24, it is possible tocompute Twisted Xate pairing at high speed by means of the similaralgorithm.

An explanation is made in a case where, that is, the embedding degree is8, and r(χ) and t (χ) are given as follows.

r(χ)=9χ⁴+12χ³+8χ²+4χ+1

t(χ)=−9χ³−3χ²−2χ.

In this case, representation of integer variable χ using p² and p³ withp as a characteristic is as below.

p ³ =p ²+3χ+1

In this case, f′ _(χ,S)(Q) becomes, using l₅ which is a value at arational point Q (x_(Q), y_(Q)) of a straight line passing throughrational points (3χS, S), l₆ which is a value at the rational point Q(x_(Q), y_(Q)) of a straight line passing through rational points(p²(S), (3χ+1)S), l₇ which is a value at the rational point Q (x_(Q),y_(Q)) of a straight line passing through rational points (3χp³S, p³S),and l₈ which is a value at the rational point Q (x_(Q), y_(Q)) of astraight line passing through rational points (p²(p³S), (3χ+1)p³S), asfollows.

[F78]

f′ _(χ,S)(Q)=(f _(3χ,S)(Q)·l ₅ ·l ₆)^(p) ³ ·f _(3χ,p) ³ _(S)(Q)·l ₇ l ₈

In the similar way as in the case where the embedding degree is 12, inthe case where the embedding degree is 8, an authentication serverperforms pairing computation by means of the started pairing computationprogram based on a flowchart shown in FIG. 4.

The electronic computer 10, causing the CPU 11 to function as an inputunit by means of the started pairing computation program, inputs data ofan integer variable χ and data of rational point S both of which arestored preliminarily in the memory unit 13, and data of rational point Qtemporarily stored in the memory unit 13 as signature data intopredetermined registers provided inside of the CPU 11 respectively.(Step T1).

Next, the electronic computer 10, causing the CPU 11 to function as afirst computation unit by means of the pairing computation program,computes a rational function f_(3χ,S)(Q) by means of Miller's algorithmand stores a result of the computation in the memory unit 13. (Step T2).In the step T2, the electronic computer 10 performs the same computationprocessing as in a flowchart shown in FIG. 3, except that anti-logarithmof logarithm to base two instep S21 in the flowchart shown in FIG. 3 is3χ and the first expression in step S22 is

[F79]

λ_(T,T)←(3x_(T) ²+a)/2y_(T).   1.

Here, “a” is a coefficient of first degree in an elliptic curve given asy²=x³+ax, a∈F_(p).

Further, also in the step T2, the electronic computer 10 computes 3χS aswell as the rational function f_(3χ,S)(Q) and stores results of thecomputation in the memory unit 13.

After computing rational function f_(3χ,S)(Q) and 3χS, the electroniccomputer 10, causing the CPU 11 to function as a second computation unitby means of the pairing computation program, reads a value of 3χS storedin the memory unit 13, performs computation of rational points p²(S) and(3χ+1)S respectively and stores values of the rational points in thememory unit 13 respectively. (Step T3).

Next, the electronic computer 10, causing the CPU 11 to function as athird computation unit by means of the pairing computation program,reads values of the respective rational points obtained in step T3 fromthe memory unit 13 respectively, computes l₅ which is a value at arational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (3χS, S) and l₆ which is a value at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points(p²(S), (3χ+1)S) respectively, and stores values of l₅ and l₆ in thememory unit 13 respectively. (Step T4).

In the same way as in the case where the embedding degree is 12, to bemore specific, the electronic computer 10 computes l=1 _(A,B)(Q) asfollows.

λ_(A,B)←(y_(B)−y_(A))/(x_(B)−x_(A)),

l_(A,B)(Q)←(x_(Q)−x_(B))λ_(A,B)−(y_(Q)−y_(B))

Next, the electronic computer 10, causing the CPU 11 to function as thesecond computation unit by means of the pairing computation program,computes rational point p³S (Step T5). To be more specific, theelectronic computer reads values of rational points obtained in step T2and step T3 from the memory unit 13, computes as below, and stores thevalue of p³S in the memory unit 13.

p ³ S=p ² S +(3χ+1)S.

Next, the electronic computer 10, causing the CPU 11 to function as thefirst computation unit by means of the pairing computation program,computes a rational function f_(3χ,p̂3S)(Q) by means of Miller'salgorithm and stores a result of the computation in the memory unit 13.(Step T6).

The electronic computer 10 performs a computation of the rationalfunction f_(3χ, p̂3S)(Q) specifically as shown in FIG. 3. In particular,in step T6, the electronic computer 10 performs computation of 3χp³S aswell as computation of the rational function f_(3χ,p̂3S)(Q) and storesresults of the computation in the memory unit 13.

Next, the electronic computer 10, causing the CPU 11 to function as thesecond computation unit by means of the pairing computation program,reads the value of 3χp³S stored in the memory unit 13, performscomputation of rational points p²(p³S), (3λ+1)p³S respectively andstores values of the respective rational points in the memory unit 13respectively. (Step T7).

Next, the electronic computer 10, causing the CPU 11 to function as thethird computation unit by means of the pairing computation program,reads values of respective rational points obtained in step T7 from thememory unit 13 respectively, computes l₇ which is a value at therational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (3χp³S, p³S) and l₈ which is in a value at the rationalpoint Q(x_(Q), y_(Q)) of a straight line passing through rational points(p²(p³S), (3χ+1)p³S) respectively, and stores values of l₇ and l₈ in thememory unit 13 respectively. (Step T8).

Next, the electronic computer 10, causing the CPU 11 to function as afourth computation unit by means of the pairing computation program,reads a result of the computation in the first computation unit (valuesof f_(3χ,S)(Q) and f_(3χ,p{circumflex over (])}3S)(Q)), and a result ofthe computation in the third computation unit (values of l₅, l₆, and l₇,l₈) from the memory unit 13 and computes f′ _(χ,S)(Q) expressed as belowand stores a result of the computation in the memory unit 13 (Step T9).

[F80]

f′ _(χ,S)(Q)=(f _(3χ,S)(Q)·l ₅ ·l ₆)^(p) ³ ·f _(3χp) ³ _(S)(Q)·l ₇ ·l ₈  (Equation 30)

To be more specific, the electronic computer 10 performs computation off′ _(χ,S)(Q) as follows.

input : SεG₁, QεG₂, 3 χ, p output : f=f’ _(χ,) _(S)(Q) procedure :  1.A←f_(3χ,) _(S) //T₁←3 χ S is obtained  2. B←g_(T1, S)  3. T₂←T₁ +S  4.T₃←p²S  5. C←g_(T3, T2)  6. f←A·B·C  7. T₄←T₃ +T₂ //T₄←p³S  8. A←f_(3χ,)_(T4) ///T₁←3 χ p³S  9. B←g_(T1, T4) 10. T₂←T₁ +T4 11. T₃←p²T₄ 12.C←g_(T3, T2) 13. f←f

p³ ·A·B·C 14. Return fThat is, the CPU 11 performs respective computations of the proceduredescribed above using the memory unit 13, obtains a value of f′_(χ,S)(Q) and stores the value in the memory unit 13. To be morespecific, in step 1, the CPU 11 obtains f_(3χ,S) by means of Miller'salgorithm, assigns the result to A, and also assigns 3χS obtainedsimultaneously to T₁. In step 2, the CPU 11 obtains l₅ which is a valueat rational point Q of a straight line passing through rational points(3χS, S) and assigns the result to B. In step 3 and step 4, the CPU 11obtains rational points (3χ+1)S and p²(S) and assigns the results to T₂and T₃ respectively. In step 5, the CPU 11 obtains l₆ which is a valueat rational point Q of a straight line passing through rational points(p²(S), (3χ+1)S) and assigns the result to C. In step 6, the CPU 11takes a product of A, B and C, obtains a ( ) part of (Equation 30)described above and assigns the result to f. In step 7, the CPU 11obtains p³S using relationship that p³=p²+3χ+1 and assigns the result toT₄. In step 8, the CPU 11 obtains f_(3χ,p̂3S) by means of Miller'salgorithm and assigns the result to A and also assigns 3χp³S obtainedsimultaneously to T₁. In step 9, the CPU 11 obtains l₇ which is a valueat rational point Q of a straight line passing through rational points(3χp³S, p³S) and assigns the result to B. In step 10 and step 11, theCPU 11 obtains rational points (3χ+1)p³S, p²(p³S) and assigns theresults to T₂ and T₃ respectively. In step 12, the CPU 11 obtains l₈which is a value at rational point Q of a straight line passing throughrational points (p²(p³S), (3χ+1)p³S) and assigns the result to C. Instep 13, the CPU 11 obtains f′ _(χ,S)(Q) and assigns the result to f.

Next, the electronic computer 10, causing the CPU 11 to function as afifth computation unit by means of the pairing computation program,reads a value of f′ _(χ,S)(Q) obtained in step T9 from the memory unit13, performs an exponentiation of the final exponentiation in pairinge(S, Q) and stores a result of the computation in the memory unit 13.(Step T10).

Hereinafter, an embodiment of Twisted Xate multi-pairing in a case wherean embedding degree is 12 is explained in detail. Explanation of theparts which are common to Twisted Xate pairing is omitted. Based on FIG.5, Twisted Xate multi-pairing in a case where the embedding degree is 12is explained.

The electronic computer 10, causing the CPU 11 to function as an inputunit by means of the started pairing computation program, inputs data ofan integer variable χ and data of rational point S both of which arestored preliminarily in the memory unit 13, and data of rational point Qtemporarily stored in the memory unit 13 as signature data intopredetermined registers provided inside of the CPU 11 respectively.(Step U1).

Next, the electronic computer 10, causing the CPU11 to function as asecond computation unit by means of the pairing computation program,performs a computation of rational point pS and stores the value of pSin the memory unit 13 (step U2).

Next, the electronic computer 10, causing the CPU11 to function as thesecond computation unit by means of the pairing computation program,performs a computation of rational point pQ and stores the value of pQin the memory unit 13 (step U3).

Next, the electronic computer 10, causing the CPU 11 to function as afirst computation unit by means of the pairing computation program,computes a rational function F_(2χ,2S)(Z_(Q)) by means of Miller'salgorithm with respect to multi-pairing and stores a result of thecomputation in the memory unit 13. (Step U4).

The electronic computer 10 performs computation of the rational functionF_(2χ,2S) (Z_(Q)) specifically as shown in FIG. 6. In particular, inStep U4, the electronic computer 10 computes 2χS and 2χpS as well as therational function F _(2χ,ZS)(Z_(Q)) and stores results of thecomputation in the memory unit 13.

That is, firstly, the electronic computer 10, as initial setting, sets fto be 1, T₁ to be S, T₂ to be pS and also sets the number of bits in acase of binary representation of the integer variable 2χ to be i (StepU41).

Next, the electronic computer 10 performs predetermined computation ofthe rational function F_(2χ,ZS) (Z_(Q)) part in step U42, performspredetermined computation of 2χS and 2χpS part in step U43, determineswhether u_(i) which is a value of i-th bit counted from the least degreeof the integer variable 2χ is “1” or “0” (Step U44) and, when u_(i)=1,further performs predetermined computation of F_(2χZS)(Z_(Q)) part instep U45 and predetermined computation of 2χS and 2χpS part in step U46.

Next, the electronic computer 10, when i≈1 (Step U47), decrements i(Step U48), returns to Step U42 and, by repeating the processing untili=1 in Step U47, computes the rational function F_(2χ,ZS)(Z_(Q), and 2χSand 2χpS, and stores results of the computation in the memory unit 13respectively.

Next, the electronic computer 10, causing the CPU 11 to function as thesecond computation unit by means of the pairing computation program,reads values of 2χS and 2χpS stored in the memory unit 13, performscomputation of rational points −S, (2χ−1)S, p¹⁰((2χ−1)S), 31 pS,(2χ−1)pS, and p¹⁰((2 χ−1)pS) respectively and stores values of therespective rational points in the memory unit 13 respectively. (StepU5).

Next, the electronic computer 10, causing the CPU 11 to function as athird computation unit by means of the pairing computation program,reads values of the respective rational points obtained in step U5 fromthe memory unit 13 respectively, computes l₁ which is a value at arational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points ((2χ−1)S, −S), l₂ which is a value at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points((2χ−1)pS, −pS), l₃ which is a value at the rational point Q(x_(Q),y_(Q)) of a straight line passing through rational points (p¹⁰((2χ−1)S),2χS) and l₄ which is a value at the rational point Q(x(_(Q), y_(Q)) of astraight line passing through rational points (p¹⁰((2χ−1)pS), 2χpS)respectively, and stores values of l₁, l₂, l₃, and l₄ in the memory unit13 respectively. (Step U6).

To be more specific, the electronic computer 10 computes l=l_(A,B)(Q) asfollows.

λ_(A,B)←(y_(B)−y_(A))/(x_(B)−x_(A)),

l_(A,B)(Q)←(x_(Q)−x_(B))λ_(A,B)−(u_(Q)−y_(B))

That is, the CPU 11 computes a gradient λ_(A,B) using xy coordinates ofpoints A and B, computes l_(A,B)(Q) using a result of the computationand xy coordinates of the points Q and B, and stores a result of thecomputation in the memory unit 13.

Next, the electronic computer 10, causing the CPU 11 to function as afourth computation unit by means of the pairing computation program,reads a result of the computation in the first computation unit (StepU4), and a result of the computation in the third computation unit(values of l₁, l₂, l₃, and l₄) from the memory unit 13, computes f′_(χ,S)(Q) expressed as below, and stores a result of the computation inthe memory unit 13 (Step U7).

[F81]

f′ _(χ,S)(Q)={F _(2χ,Z) _(S) (Z _(Q))·{l ₁ ^(p) ·l ₂}⁻¹}^(p) ¹⁰ ·F_(2χ,Z) _(S) (Z _(Q))·l ₃ ^(p) ·l ₄   (Equation 31)

Next, the electronic computer 10, causing the CPU 11 to function as afifth computation unit by means of the pairing computation program,reads a value of f′ _(χ,S)(Q) obtained in step U7 from the memory unit13, performs an exponentiation of the final exponentiation in pairinge(S, Q), and stores a aresult of the computation in the memory unit 13(Step U8).

To be more specific, the electronic computer 10 performs a computationof f′ _(χ,S)(Q) as follows.

input : Z_(s)={S, pSεG₁}, Z_(Q)={pQ, QεG₂}, 2 χ, p output : f=f’ _(χ,)_(S)(Q) procedure :  1. A←MMA (2 χ, 2, Z_(S), Z_(Q) ) //T₁←2 χ S, T₂←2 χpS  2. T₃← −S  3. T₄←T₁ +T₃  4. B←g_(T4, T3)  5. T₅← −pS  6. T₆←T₂ +T₅ 7. C←g_(T5, T6)  8. f←B^(p) ·C  9. f←A ·f⁻¹ 10. T₃←p¹⁰T₄ 11.B←g_(T3, T1) 12. T₅←p¹⁰T₆ 13. C←g_(T5, T2) 14. D←B^(p) ·C 15. f←f

p¹⁰ ·A ·D 16. Return fThat is, the CPU 11 performs respective computations of the proceduredescribed above using the memory unit 13, obtains f′ _(χ,S)(Q), andstores the value in the memory unit 13. To be more specific, in step 1,the CPU 11 obtains F_(2χ,ZS) by means of

Miller's algorithm with respect to multi-pairing, assigns the result toA, and also assigns 2χS and 2χpS obtained simultaneously to T₁ and T₂respectively. In step 2 and step 3, the CPU 11 obtains rational points−S and (2χ1)S and assigns the result to T₃ and T₄ respectively. In step4, the CPU 11 obtains l₁ which is a value at rational point Q of astraight line passing through rational points ((2χ−1)S, −S) and assignsthe result to B. In step 5 and 6, the CPU 11 obtains rational points −pSand (2χ−1)pS and assign the result to T₅ and T₆ respectively. In step 7,the CPU 11 obtains l₂ which is a value at rational point Q of a straightline passing through rational points (−pS, (2χ−1)pS) and assigns theresult to C. In step 8, the CPU 11 takes a product of B to the power ofp and C, obtains a { } part of the inside of (Equation 31) describedabove and assigns the result to f. In step 9, the CPU 11 obtains a { }part of the outside of (Equation 31) described above and assigns theresult to f. In step 10, the CPU 11 obtains a value of rational pointp¹⁰((2 χ−1)S) and assigns the result to T₃. In step 11, the CPU 11obtains l₃ which is a value at rational point Q of a straight linepassing through rational points (p¹⁰((2χ−1)S), 2χS) and assigns theresults to B. In step 12, the CPU 11 obtains rational pointp¹⁰((2χ−1)pS) and assigns the result to T₅. In step 13, the CPU 11obtains l₄ which is a value at rational point Q of a straight linepassing through rational points (p¹⁰((2χ−1)pS), 2χpS) and assigns theresult to C. In step 14, the CPU 11 obtains a product of B to the powerof p and C. In step 15, the CPU 11 obtains the whole of (Equation 31)described above and assigns the result (f′ _(χ,S)(Q)) to f.

In the embodiment, Twisted Xate multi-pairing in the case where theembedding degree is 12 is explained. However, it is possible to computeTwisted Xate multi-pairing at high speed also in a case where theembedding degree is 8 by means of the similar algorithm. Explanation ofthe parts which are common to Twisted Xate pairing is omitted.Computation of multi-pairing in the case where the embedding degree is 8is explained with reference to FIG. 7.

The electronic computer 10, causing the CPU 11 to function as an inputunit by means of the started pairing computation program, inputs data ofan integer variable χ and data of rational point S both of which arestored preliminarily in the memory unit 13, and data of rational point Qtemporarily stored in the memory unit 13 as signature data intopredetermined registers provided inside of the CPU 11 respectively.(Step V1).

Next, the electronic computer 10, causing the CPU 11 to function as asecond computation unit by means of the pairing computation program,performs a computation of rational point p³S and stores the value of p³Sin the memory unit 13 (step V2).

Next, the electronic computer 10, causing the CPU 11 to function as thesecond computation unit by means of the pairing computation program,performs a computation of rational point p³Q and stores the value of p³Qin the memory unit 13 (step V3).

Next, the electronic computer 10, causing the CPU 11 to function as afirst computation unit by means of the pairing computation program,computes a rational function F_(3χ,ZS)(Z_(Q)) by means of Miller'salgorithm with respect to multi-pairing and stores a result of thecomputation in the memory unit 13. (Step V4). In this Step V4, theelectronic computer 10 performs the same computation processing as aflowchart shown in FIG. 6 except that anti-logarithm of logarithm tobase two is 3χ, and all p become p³.

Also in step V4, the electronic computer 10 computes 3χS and 3χp³S aswell as the rational function F_(3χ,ZS)(Z_(Q)) and stores results of thecomputation in the memory unit 13.

After computing the rational function F_(3χ,ZS) (Z_(Q)), and 3χS and3χp³S, the electronic computer 10, causing the CPU 11 to function as thesecond computation unit by means of the pairing computation program,reads values of 3χS and 3χp³S stored in the memory unit 13, performscomputation of rational points p²(S), (3χ+1)S, p²(p³S), and (3χ+1)p³Srespectively and stores values of the respective rational points in thememory unit 13 respectively. (Step V5).

Next, the electronic computer 10, causing the CPU 11 to function as athird computation unit by means of the pairing computation program,reads values of the respective rational points obtained in step V5 fromthe memory unit 13 respectively, computes l₅ which is a value at arational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (3χS, S), l₆ which is a value at the rational point Q(x_(Q), y_(Q)) of a straight line passing through rational points(p²(S), (3χ+1)S), l₇ which is a value at the rational point Q (x_(Q),y_(Q)) of a straight line passing through rational points (3χp³S, p³S)and l₈ which is a value at the rational point Q (x_(Q), y_(Q)) of astraight line passing through rational points (p²(p³S), (3χ+1)p³S)respectively, and stores values of l₅, l₆, l₇, and l₈ in the memory unit13 respectively. (Step V6).

To be more specific, in the same way as in the case where the embeddingdegree is 12, the electronic computer 10 computes l=l_(A,B)(Q) asfollows.

λ^(A,B)←(y_(B)−y_(A))/(x_(B)-X_(A)),

l_(A,B)(Q)←(x_(Q)−x_(B))λ_(A,B)−(y_(Q)−y_(B))

Next, the electronic computer 10, causing the CPU 11 to function as afourth computation unit by means of the pairing computation program,reads a result of the computation in the first computation unit, and aresult of the computation in the third computation unit (values of l₅,l₆, l₇, and l₈) from the memory unit 13 and computes f′ _(χ,S)(Q)expressed as below and stores a result of the computation in the memoryunit 13 (Step V7).

[F82]

f′ _(χ,S)(Q)=F _(3χ,Z) _(S) ·{l ₅ ·l ₆}^(p) ^(s) ·l ₇ ·l ₈   (Equation32)

To be more specific, the electric computer 10 performs the computationof f′ _(χ,S)(Q) as follows.

input : Z_(S)={S, p³SεG₁}, Z_(Q)={p³Q, QεG₂}, 3 χ, p output : f=f’ _(χ,)_(S)(Q) procedure :  1. A←MMA (3 χ, 2, Z_(S), Z_(Q) ) //T₁←3 χ S, T₂←3 χp³S  2. B←g_(3 χS, S)  3. T₃←T₁ +S  4. T₄←p²S  5. C← g_(T4, T3)  6. f←B·C  7. f←f 

p³  8. f←A ·f  9. B← 

10. T₃←T₂ +p³S 11. T4←p²p³S 12. C←g_(T4, T3) 13. f←f · B ·C 14. Return fThat is, the CPU 11 performs respective computations of the proceduredescribed above using the memory unit 13, obtains f′ _(χ,S)(Q), andstores the value in the memory unit 13. To be more specific, In step 1,the CPU 11 obtains F_(3χ,ZS) by means of Miller's algorithm with respectto multi-pairing and assigns the result to A and also assigns 3χS and3χp³S obtained simultaneously to T₁ and T₂ respectively. In step 2, theCPU 11 obtains l₅ which is a value at rational point Q of a straightline passing through rational points (3χS, S) and assigns the result toB. In step 3 and step 4, the CPU 11 obtains rational points (3 χ+1)S andp²(S) and assigns the result to T₃ and T₄ respectively. In step 5, theCPU 11 obtains l₆ which is a value at rational point Q of a straightline passing through rational points (p²(S), (3χ+1)S) and assigns theresult to C. In step 6, the CPU 11 takes a product of B and C, obtainsan inside of { } part of (Equation 32) described above and assigns theresult to f. In step 7, the CPU 11 obtains a { } part of (Equation 32)described above. In step 8, the CPU 11 obtains a result up to the { }part of (Equation 32) described above and assign the result to f. Instep 9, the CPU 11 obtains l₇ which is a value at rational point Q of astraight line passing through rational points (3χp³S, p³S) and assignsthe result to B. In step 10 and step 11, the CPU 11 obtains rationalpoints (3χ+1) p³S and p²(p³S), and assigns the results to T₃ and T₄respectively. In step 12, the CPU 11 obtains l₈ which is a value atrational point Q of a straight line passing through rational points(p²(p³S), (3χ+1)p³S) and assigns the result to C. In step 13, the CPU 11obtains f′ _(χ,S)(Q), and assigns the result to f.

Next, the electronic computer 10, causing the CPU 11 to function as afifth computation unit by means of the pairing computation program,reads the value of f′ _(χ,S)(Q) obtained in step V7, performs anexponentiation of the final exponentiation in pairing e(S, Q), andstores a result of the computation in the memory unit 13 (Step V8).

In addition, in the explanation made above, the memory unit 13 is usedas storage means for storing each computation result. However, registersprovided with inside of the CPU 11 may be used as the storage meansdescribed above.

EXPLANATION OF SYMBOLS

10 electronic computer

11 CPU

12 storage unit

13 memory unit

14 bus

15 input output control part

20 telecommunication line

30 client device

1. A pairing computation device, wherein an elliptic curve is given asy²=x3+ax+b, a∈F_(p), b∈F_(p), letting k be an embedding degree, E be anadditive group constituted of rational points on the pairing enabledelliptic curve defined over an extension field F_(p) ^(k), E[r] be a setof rational points having a prime order r, and φ_(p) be a Frobeniusendomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ^(k)/(F*_(p) ^(k))^(r), the pairing computation devicecomprising a CPU which computes the pairing e (S, Q), by letting S∈G₁,Q∈G₂, χ be a given integer variable, and F be a rational function whichis calculated using Miller's algorithm with respect to multi-pairing(MMA), wherein the order r and a trace t of the Frobenius endomorphismφ_(p) are specified preliminarily according to the embedding degree kusing the integer variable χ, and the CPU includes: an input unit whichinputs the integer variable χ, the rational point S, and the rationalpoint Q into respective predetermined registers; a computation unitwhich computes F; a computation unit which computes a value of astraight line passing through given rational points at a rational pointQ (x_(Q), y_(Q)); a computation unit which computes f′ _(χ,S)(Q) usingsaid F and said value ; and a computation unit which computes thepairing e (S, Q) using said f′ _(χ,S)(Q) as [F1]e(S, Q)=f′ _(χ,S)(Q)^((p) ^(k) ^(−1)/r).
 2. A pairing computationmethod, wherein an elliptic curve is given as y²=x³+ax+b, a∈F_(p),b∈F_(p), letting k be an embedding degree, E be an additive groupconstituted of rational points on the pairing enabled elliptic curvedefined over an extension field F_(p) ^(k), E[r] be a set of rationalpoints having a prime order r, and φ_(p) be a Frobenius endomorphism, apairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as non-degenerate bilinear mape:G₁×G₂→F*_(p) ^(k)/(F*_(p) ^(k))^(r), an electronic computer whichincludes a CPU computes the pairing e(S, Q), by letting S∈G, Q∈G₂, χ bea given integer variable, and F be a rational function which iscalculated using Miller's algorithm with respect to multi-pairing (MMA),the order r and a trace t of the Frobenius endomorphism φ_(p) beingspecified preliminarily according to the embedding degree k using theinteger variable χ, the pairing computation method comprising: a step ofinputting the integer variable χ, the rational point S, and the rationalpoint Q into respective predetermined registers by causing the CPU ofthe electronic computer to function as an input unit; a step ofcomputing F by causing the CPU of the electronic computer to function asa computation unit; a step of computing a value of a straight linepassing through given rational points at a rational point Q(x_(Q),y_(Q)) by causing the CPU of the electronic computer to function as acomputation unit; a step of computing f′ _(χ,S)(Q) using said F and saidvalue by causing the CPU of the electronic computer to function as acomputation unit; and a step of computing the pairing e(S, Q) using saidf′ _(χ,S)(Q) as [F2]e(S, Q)=f′ _(χ,S)(Q)^((p) ^(k) _(−1)/r) by causing the CPU of theelectronic computer to function as a computation unit.
 3. A recordingmedium storing a pairing computation program, wherein an elliptic curveis given as y²=x³+ax+b, a∈F_(p), b∈F_(p), letting k be an embeddingdegree, E be an additive group constituted of rational points on thepairing enabled elliptic curve defined over an extension field F_(p)^(k), E[r] be a set of rational points having a prime order r, and φ_(p)be a Frobenius endomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as non-degenerate bilinear mape:G₁×G₂→F*_(p) ^(k)/(F*_(p) ^(k))^(r), the pairing computation programcauses an electronic computer which includes a CPU to compute thepairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable,and F be a rational function which is calculated using Miller'salgorithm with respect to multi-pairing (MMA), the order r and a trace tof the Frobenius endomorphism φ_(p) being specified preliminarilyaccording to the embedding degree k using the integer variable χ, thepairing computation program causing the CPU of the electronic computerto function as: an input unit which inputs the integer variable χ, therational point S, and the rational point Q into respective predeterminedregisters; a computation unit which computes F; a computation unit whichcomputes a value of a straight line passing through given rationalpoints at a rational point Q(x_(Q), y_(Q)); a computation unit whichcomputes f′ _(χ,S)(Q) using said F and said value; and a computationunit which computes the pairing e(S, Q) using said f′ _(χ,S)(Q) as [F3]e(S, Q)=f′ _(χ,S)(Q)^((p) ^(k) ^(−1)/r).
 4. A pairing computationdevice, wherein an elliptic curve is given as y²=x³+b, b∈F_(p), lettingan embedding degree be 12, E be an additive group constituted ofrational points on the pairing enabled elliptic curve defined over anextension field F_(p) ¹², E[r] be a set of rational points having aprime order r, and φ_(p) be a Frobenius endomorphism, a pairing e isdefined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ¹²/(F*_(p) ¹²)^(r), the pairing computation devicecomprising a CPU which computes the pairing e(S, Q), by letting S∈G₁,Q∈G₂, χ be a given integer variable, Z_(S) be a set of rational points Sand pS, Z_(Q) be a set of rational points pQ and Q, and F_(2χ,ZS)(Z_(Q))be a rational function which is calculated using Miller's algorithm withrespect to multi-pairing (MMA), wherein the order r and a trace t of theFrobenius endomorphism φ_(p) are specified using the integer variable χas,r(χ)=36χ⁴−36χ³+18χ²−6χ+1,t(χ)=6χ²+1, and a representation of the integer variable χ using p¹⁰with p as a characteristic isp≡(2χ−1)p¹⁰+2χ(modr(χ)) and the CPU includes: an input unit which inputsthe integer variable χ, the rational point S, and the rational point Qinto respective predetermined registers; a first computation unit whichcomputes F_(2χ,ZS)(Z_(Q)); a second computation unit which computesgiven rational points using 2χS and 2χpS which are calculated whencomputing said F_(2χ,ZS)(Z_(Q)); a third computation unit which computesa value at a rational point Q(x_(Q), y_(Q)) of a straight line passingthrough the given rational points; a fourth computation unit whichcomputes f′ _(χ,S)(Q) using said F_(2χ,ZS)(Z_(Q)) and said value; and afifth computation unit which computes the pairing e(S, Q) using said f′_(χ,S)(Q) as [F4]e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r).
 5. The pairing computation deviceaccording to claim 4, wherein the second computation unit computesrespective rational points −S, (2χ−1)S, p¹⁰((2χ−1)S), −pS, (2χ−1)pS,p¹⁰((2χ−1)pS) in order using previously obtained results, the thirdcomputation unit respectively computes a value l₁ at a rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points((2χ−1)S, −S), a value l₂ at the rational point Q(x_(Q), y_(Q)) of astraight line passing through rational points ((2χ−1)pS, −pS), a valuel₃ at the rational point Q(x_(Q), y_(Q)) of a straight line passingthrough rational points (p¹⁰((2χ−1)S), 2χS), and a value l₄ at therational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p¹⁰((2χ−1)pS), 2χpS), and the fourth computation unitcomputes f′ _(χ,S)(Q) as [F5]f′ _(χ,S)(Q)={F _(2χ,Z) _(S) (Z _(Q))·{l ₁ ^(p) ·l ₂}^(p) ¹⁰ ·F _(2χ,Z)_(S) (Z _(Q))·l ₃ ^(p) ·l ₄.
 6. A pairing computation method, wherein anelliptic curve is given as y²=x³+b, b∈F_(p), letting an embedding degreebe 12, E be an additive group constituted of rational points on thepairing enabled elliptic curve defined over an extension field F_(p) ¹²,E[r] be a set of rational points having a prime order r, and φ_(p) be aFrobenius endomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ¹²/(F*_(p) ¹²)^(r), an electronic computer which includesa CPU computes the pairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a giveninteger variable, Z_(S) be a set of rational points S and pS, Z_(Q) be aset of rational points pQ and Q, and F_(2χ,ZS)(Z_(Q)) be a rationalfunction which is calculated using Miller's algorithm with respect tomulti-pairing (MMA), the order r and a trace t of the Frobeniusendomorphism φ_(p) being specified using the integer variable χ as,r(χ)=36χ⁴−36χ³+18χ²−6χ+1t(χ)=6χ²+1, and a representation of the integer variable χ using p¹⁰with p as a characteristic beingp=(2χ−1)p¹⁰+2χ(modr(χ)), the pairing computation method comprising: aninput step which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers bycausing the CPU of the electronic computer to function as an input unit;a first computation step which computes F_(2χ,ZS)(Z_(Q)) by causing theCPU of the electronic computer to function as a first computation unit;a second computation step which computes given rational points using 2χSand 2χpS which are calculated when computing said F_(2χ,ZS)(Z_(Q)) bycausing the CPU of the electronic computer to function as a secondcomputation unit; a third computation step which computes a value at arational point Q(x_(Q), y_(Q)) of a straight line passing through thegiven rational points by causing the CPU of the electronic computer tofunction as a third computation unit; a fourth computation step whichcomputes f′ _(χ,S)(Q) using said F_(2χ, ZS)(Z_(Q)) and said value bycausing the CPU of the electronic computer to function as a fourthcomputation unit ; and a fifth computation step which computes thepairing e(S, Q) using said f′ _(χ,S)(Q) as [F6]e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r), by causing the CPU of theelectronic computer to function as a fifth computation unit.
 7. Thepairing computation method according to claim 6, wherein the secondcomputation step computes respective rational points −S, (2χ−1)S,p¹⁰((2χ−1)S), −pS, (2χ−1)pS, p¹⁰((2χ−1)pS) in order using previouslyobtained results, the third computation step respectively computes avalue l₁ at a rational point Q (x_(Q), y_(Q)) of a straight line passingthrough rational points ((2χ−1)S, −S), a value l₂ at the rational pointQ (x_(Q), y_(Q)) of a straight line passing through rational points((2χ−1)pS, −pS), a value l₃ at the rational point Q (x_(Q), y_(Q)) of astraight line passing through rational points (p¹⁰ ((_(2χ−1)) S), 2χS),and a value l₄ at the rational point Q (x_(Q), y_(Q)) of a straight linepassing through rational points (p¹⁰((2χ−1)pS), 2χpS), and the fourthcomputation step computes f′ _(χ,S)(Q) as [F7]f′ _(χ,S)(Q)=ΔF _(2χ,Z) _(S) (Z _(Q))·{l ₁ ^(p) ·; ₂}⁻¹}^(p) ¹⁰ ·F_(2χ,Z) _(S) (Z _(Q))·l ₃ ^(p) −l ₄.
 8. A recording medium storing apairing computation program, wherein an elliptic curve is given asy²=x³+b, b∈F_(p), letting an embedding degree be 12, E be an additivegroup constituted of rational points on the pairing enabled ellipticcurve defined over an extension field F_(p) ¹², E[r] be a set ofrational points having a prime order r, and (I) φ_(p) be a Frobeniusendomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ¹²/(F*_(p) ¹²)^(r), the pairing computation programcauses an electronic computer which includes a CPU to compute thepairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable,Z_(S) be a set of rational points S and pS, Z_(Q) be a set of rationalpoints pQ and Q, and F_(2χ,ZS) (Z_(Q)) be a rational function which iscalculated using Miller's algorithm with respect to multi-pairing (MMA),the order r and a trace t of the Frobenius endomorphism φ_(p) beingspecified using the integer variable χ as,r(χ)=36χ⁴−36χ³+18χ²−6χ+1,t(χ)=6χ²+1, and a representation of the integer variable χ using p¹⁰with p as a characteristic beingp≡(2χ−1)p¹⁰+2χ(modr(χ)), the pairing computation program causing the CPUof the electronic computer to function as: an input unit which inputsthe integer variable χ, the rational point S, and the rational point Qinto respective predetermined registers; a first computation unit whichcomputes F_(2χ,ZS)(Z_(Q)); a second computation unit which computesgiven rational points using 2χS and 2χpS which are calculated whencomputing said F_(2χ,ZS)(Z_(Q)); a third computation unit which computesa value at a rational point Q(x_(Q), y_(Q)) of a straight line passingthrough the given rational points; a fourth computation unit whichcomputes f′ _(χ,S)(Q) using said F_(2χ,ZS)(Z_(Q)) and said value; and afifth computation unit which computes the pairing e(S, Q) using said f′_(χ,S) (Q) as [F8]e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r).
 9. The recording medium storing apairing computation program according to claim 8, wherein the pairingcomputation program causes: the CPU of the electronic computer whichfunctions as the second computation unit to compute respective rationalpoints −S, (2χ−1)S, p¹⁰((2χ−1)S), −pS, (2χ−1)pS, p¹⁰((2χ−1)pS) in orderusing previously obtained results; the CPU of the electronic computerwhich functions as the third computation unit to compute respectively avalue l₁ at a rational point Q(x_(Q), y_(Q)) of a straight line passingthrough rational points ((2χ−1)S, −S), a value l₂ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points((2χ−1)pS, −pS), a value l₃ at the rational point Q (x_(Q), y_(Q)) of astraight line passing through rational points (p¹⁰((2χ−1)S), 2χS), and avalue l₄ at the rational point Q (x_(Q), y_(Q)) of a straight linepassing through rational points (p¹⁰((2χ−1)pS), 2χpS); and the CPU ofthe electronic computer which functions as the fourth computation unitto compute f′ _(χ,S)(Q) as [F9]f′ _(χ,S)(Q)={F _(2χ,Z) _(S) (Z _(Q))·{l ₁ ^(p) ·l ₂}⁻¹}^(p) ¹⁰ ·F_(2χ,Z) _(S) (Z _(Q))·l ₃ ^(p) ·l ₄.
 10. A pairing computation device,wherein an elliptic curve is given as y²=x³+ax, a∈F_(p), letting anembedding degree be 8, E be an additive group constituted of rationalpoints on the pairing enabled elliptic curve defined over an extensionfield F_(p) ⁸, E[r] be a set of rational points having a prime order r,and φ_(p) be a Frobenius endomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker((φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ⁸/(F*_(p) ⁸)^(r), the pairing computation devicecomprising a CPU which computes the pairing e (S, Q), by letting S∈G₁,Q∈G₂, χ be a given integer variable, Z_(S) be a set of rational points Sand p³S, Z_(Q) be a set of rational points p³Q and Q, andF_(3χ,ZS)(Z_(Q)) be a rational function which is calculated usingMiller's algorithm with respect to multi-pairing (MMA), wherein theorder r and a trace t of the Frobenius endomorphism φ_(p) are specifiedusing the integer variable χ as,r(χ)=9χ⁴+12χ³+8χ²+4χ+1,t(χ)=9χ³−3χ²−2χ, and a representation of the integer variable χ using p²and p³ with p as a characteristic isp³≡p²+3χ+1(modr(χ)) and the CPU includes: an input unit which inputs theinteger variable χ, the rational point S, and the rational point Q intorespective predetermined registers; a first computation unit whichcomputes F_(3 χ,ZS)(Z_(Q)); a second computation unit which computesrespective rational points p²(S), p²(p³S), (3χ+1)S, (3χ+1)p³S in orderusing previously obtained results; a third computation unit whichrespectively computes a value l₅ at a rational point Q (x_(Q), y_(Q)) ofa straight line passing through rational points (3χS, S), a value l₆ atthe rational point Q (x_(Q), y_(Q)) of a straight line passing throughrational points (p²(S), (3χ+1)S), a value l₇ at the rational point Q(x_(Q), y_(Q)) of a straight line passing through rational points(3χp³S, p³S), and a value l₈ at the rational point Q (x_(Q), y_(Q)) of astraight line passing through rational points (p²(p³S), (3χ+1)p³S); andthe fourth computation unit which computes f′ _(χ,S)(Q) using acomputation result of the first computation unit and a computationresult of the third computation unit as [F10]f′ _(χ,S)(Q)=F _(3χ,Z) _(S) (Z _(Q)){l ₅ ·l ₆}^(p) ⁸ ·l ₇ ·l ₈; and afifth computation unit which computes the pairing e(S, Q) using said f′_(χ,S)(Q) as [F11]e(S, Q)=f′ _(χ,S)(Q)^((p) ³ ^(−1)/r).
 11. A pairing computation method,wherein an elliptic curve is given as y²=x³+ax, a∈F_(p), letting anembedding degree be 8, E be an additive group constituted of rationalpoints on the pairing enabled elliptic curve defined over an extensionfield F_(p) ⁸, E[r] be a set of rational points having a prime order r,and φ_(p) be a Frobenius endomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G _(2=E[r)]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ⁸/(F*_(p) ⁸)^(r), an electronic computer which includes aCPU computes the pairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a giveninteger variable, Z_(S) be a set of rational points S and p³S, Z_(Q) bea set of rational points p³Q and Q, and F_(3χ,ZS)(Z_(Q)) be a rationalfunction which is calculated using Miller's algorithm with respect tomulti-pairing (MMA), the order r and a trace t of the Frobeniusendomorphism φ_(p) being specified using the integer variable χ as,r(χ)=9χ⁴+12χ³+8χ²+4χ+1.t(χ)=−9χ³−3χ²−2χ, and a representation of the integer variable χ usingp² and p³ with p as a characteristic beingp³≡p²+3χ+1(modr(χ)) the pairing computation method comprising: an inputstep which inputs the integer variable χ, the rational point S, and therational point Q into respective predetermined registers by causing theCPU of the electronic computer to function as an input unit; a firstcomputation step which computes F_(3χ,ZS)(Z_(Q)) by causing the CPU ofthe electronic computer to function as a first computation unit; asecond computation step which computes respective rational points p²(S),p²(p³S), (3χ+1)S, (3χ+1)p³S in order using previously obtained resultsby causing the CPU of the electronic computer to function as a secondcomputation unit; a third computation step which respectively computes avalue l₅ at a rational point Q(x_(Q), y_(Q)) of a straight line passingthrough rational points (3χS, S), a value l₆ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points(p²(S), (3χ+1)S), a value l₇ at the rational point Q(x_(Q), y_(Q)) of astraight line passing through rational points (3χp³S, p³S), and a valuel₈ at the rational point Q(x_(Q), y_(Q)) of a straight line passingthrough rational points (p²(p³S), (3χ+1)p³S) by causing the CPU of theelectronic computer to function as a third computation unit; and afourth computation step which computes f′ _(χ,S)(Q) using saidF_(3χ,ZS)(Z_(Q)) and said values l₅, l₆, l₇, l₈ as [F12]f′ _(χ,S)(Q)=F _(2χ,Z) _(S) (Z _(Q)){l ₅ ·l ₆}^(p) ³ ·l ₇ ·l ₈ bycausing the CPU of the electronic computer to function as a fourthcomputation unit; and a fifth computation step which computes thepairing e(S, Q) using said f′ _(χ,S)(Q) as [F13]e(S, Q)=f′ _(χ,S)(Q)^((p) ⁸ ^(−1)/r) by causing the CPU of theelectronic computer to function as a fifth computation unit.
 12. Arecording medium storing a pairing computation program, wherein anelliptic curve is given as y²=x²+ax, a∈F_(p), letting an embeddingdegree be 8, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)⁸, E[r] be a set of rational points having a prime order r, and φ_(p) bea Frobenius endomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ⁸/(F*_(p) ⁸)^(r), the pairing computation program causesan electronic computer which includes a CPU to compute the pairing e(S,Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable, Z_(S) be a setof rational points S and p³S, Z_(Q) be a set of rational points p³Q andQ, and F_(3χ,ZS)(Z_(Q)) be a rational function which is calculated usingMiller's algorithm with respect to multi-pairing (MMA), the order r anda trace t of the Frobenius endomorphism φ_(p) being specified using theinteger variable χ as,r(χ)=9χ⁴+12χ³+8χ²+4χ+1,t(χ)=−9χ³−3χ²−2χ, and a representation of the integer variable χ usingp² and p³ with p as a characteristic beingp³≡p²+3χ+1(modr(χ)) the pairing computation program causing the CPU ofthe electronic computer to function as: an input unit which inputs theinteger variable χ, the rational point S, and the rational point Q intorespective predetermined registers; a first computation unit whichcomputes F_(3χ,ZS)(Z_(Q)); a second computation unit which computesrespective rational points p²(S), p²(p³S), (3χ+1)S, (3χ+1)p′S in orderusing previously obtained results; a third computation unit whichrespectively computes a value l₅ at a rational point Q(x_(Q), y_(Q)) ofa straight line passing through rational points (3χS, S), a value l₆ atthe rational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p²(S), (3χ+1)S), a value l₇ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points(3χp³S, p³S), and a value l₈ at the rational point Q(x_(Q), y_(Q)) of astraight line passing through rational points (p²(p³S), (3χ+1)p³S); anda fourth computation unit which computes f′ _(χ,S)(Q) using saidF_(3χ,ZS)(Z_(Q)) and said values l₅, l₆, l₇, l₈ as [F14]f′ _(χ,S)(Q)=F _(3χ,Z) _(S) (Z _(Q)){l ₅ ·l ₆}^(p) ³ ·l ₇ · ₈; and afifth computation unit which computes the pairing e(S, Q) using said f′_(χ,S)(Q) as [F15]e(S, Q)=f′ _(χ,S)(Q)^((p) ³ ^(−1)/r).
 13. A pairing computation device,wherein an elliptic curve is given as y²=x³+ax+b, a∈F_(p), b∈F_(p),letting k be an embedding degree, E be an additive group constituted ofrational points on the pairing enabled elliptic curve defined over anextension field F_(p) ^(k), E[r] be a set of rational points having aprime order r, and φ_(p) be a Frobenius endomorphism, a pairing e isdefined usingG ₁ =E[r]∩Ker(φ_(p)=[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ^(k)/(F*_(p) ^(k))^(r), the pairing computation devicecomprising a CPU which computes the pairing e(S, Q), by letting S∈G₁,Q∈G₂, χ be a given integer variable, and f be a rational function whichis calculated using Miller's algorithm, wherein the order r and a tracet of the Frobenius endomorphism φ_(p) are specified preliminarilyaccording to the embedding degree k using the integer variable χ, andthe CPU includes: an input unit which inputs the integer variable χ, therational point S, and the rational point Q into respective predeterminedregisters; a computation unit which computes f; a computation unit whichcomputes a value of a straight line passing through given rationalpoints at a rational point Q(x_(Q), y_(Q)); a computation unit whichcomputes f′ χ,S(Q) using said f and said value; and a computation unitwhich computes the pairing e(S, Q) using said f′ _(χ,S)(Q) as [F16]e(S, Q)=f′ _(χ,S)(Q)^((p) ^(k) ^(−1)/r).
 14. A pairing computationmethod, wherein an elliptic curve is given as y²=x³+ax+b, a∈F_(p),b∈F_(p), letting k be an embedding degree, E be an additive groupconstituted of rational points on the pairing enabled elliptic curvedefined over an extension field F_(p) ^(k), E[r] be a set of rationalpoints having a prime order r, and φ_(p) be a Frobenius endomorphism, apairing e is defined usingG₁ =E[r]∩Ker(^(SM) _(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as non-degenerate bilinear mape:G₁×G₂→F*_(p) ^(k)/(F*_(p) ^(k))^(r), an electronic computer whichincludes a CPU computes the pairing e(S, Q), by letting S∈G₁, Q∈G₂, χ bea given integer variable, and f be a rational function which iscalculated using Miller's algorithm, the order r and a trace t of theFrobenius endomorphism φ_(p) being specified preliminarily according tothe embedding degree k using the integer variable χ, the pairingcomputation method comprising: a step of inputting the integer variableχ, the rational point S, and the rational point Q into respectivepredetermined registers by causing the CPU of the electronic computer tofunction as an input unit; a step of computing f by causing the CPU ofthe electronic computer to function as a computation unit; a step ofcomputing a value of a straight line passing through given rationalpoints at a rational point Q(x_(Q), y_(Q)) by causing the CPU of theelectronic computer to function as a computation unit; a step ofcomputing f′ _(χ,S)(Q) using said f and said value by causing the CPU ofthe electronic computer to function as a computation unit; and a step ofcomputing the pairing e(S, Q) using said f′ _(χ,S)(Q) as [F17]e(S, Q)=f′ _(χ,S)(Q)^((p) ^(k) ^(−1)/r) by causing the CPU of theelectronic computer to function as a computation unit.
 15. A recordingmedium storing a pairing computation program, wherein an elliptic curveis given as y²=x³+ax+b, a∈F_(p), b∈F_(p), letting k be an embeddingdegree, E be an additive group constituted of rational points on thepairing enabled elliptic curve defined over an extension field F_(p)^(k), E[r] be a set of rational points having a prime order r, and φ_(p)be a Frobenius endomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as non-degenerate bilinear mape:G₁×G₂→F*_(p) ^(k)/(F*_(p) ^(k))^(r), the pairing computation programcauses an electronic computer which includes a CPU to compute thepairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable,and f be a rational function which is calculated using Miller'salgorithm, the order r and a trace t of the Frobenius endomorphism φ_(p)being specified preliminarily according to the embedding degree k usingthe integer variable χ, the pairing computation program causing the CPUof the electronic computer to function as: an input unit which inputsthe integer variable χ, the rational point S, and the rational point Qinto respective predetermined registers; a computation unit whichcomputes f; a computation unit which computes a value of a straight linepassing through given rational points at a rational point Q(x_(Q),y_(Q); a computation unit which computes f′ _(χ,S)(Q) using said f andsaid value; and a computation unit which computes the pairing e(S, Q)using said f′ _(χ,S)(Q) as [F18]e(S, Q)=f′ _(χ,S)(Q)^(p) ^(k) ^(−1)/r).
 16. A pairing computationdevice, wherein an elliptic curve is given as y²=x³+b, b∈F_(p), lettingan embedding degree be 12, E be an additive group constituted ofrational points on the pairing enabled elliptic curve defined over anextension field F_(p) ¹, E[r] be a set of rational points having a primeorder r, and φ_(p) be a Frobenius endomorphism, a pairing e is definedusingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ¹²/(F*_(p) ¹²)^(r), the pairing computation devicecomprising a CPU which computes the pairing e (S, Q), by letting S∈G₁,Q∈G₂, χ be a given integer variable, f_(2χ,S) (Q) be a rational functionwhich is calculated using Miller's algorithm, wherein the order r and atrace t of the Frobenius endomorphism φ_(p) are specified using theinteger variable χ as,r(χ)=36χ⁴−36χ³+18χ²−6χ+1,t(χ)=6χ²+1, and a representation of the integer variable χ using χ¹⁰with p as a characteristic isp≡(2χ−1)p¹⁰+2χ(modr(χ)) and the CPU includes: an input unit which inputsthe integer variable χ, the rational point S, and the rational point Qinto respective predetermined registers; a first computation unit whichcomputes f_(2χ,S)(Q) and f_(2χ,pS)(Q); a second computation unit whichcomputes given rational points using 2χS and 2χpS which are calculatedwhen computing said f_(2χ,S)(Q) and f_(2χ,pS)(Q); a third computationunit which computes a value at a rational point Q (x_(Q), y_(Q)) of astraight line passing through the given rational points; a fourthcomputation unit which computes f′ _(χ,S)(Q) using said f_(2χ,S)(Q) andsaid value; and a fifth computation unit which computes the pairing e(S, Q) using said f′ _(χ,S)(Q) as [F19]e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r).
 17. The pairing computationdevice according to claim 16, wherein the second computation unitcomputes respective rational points −S, (2χ'1)S, p¹((2χ−1)S), −pS,(2χ−1)pS, p¹⁰((2χ−1)pS) in order using previously obtained results, thethird computation unit respectively computes a value l₁ at a rationalpoint Q (x_(Q), y_(Q)) on a straight line passing through rationalpoints ((2χ−1)S, −S), a value l₂ at the rational point Q (x_(Q), y_(Q))of a straight line passing through rational points (p¹⁰((2χ−1)S), 2χS),a value l₃ at the rational point Q (x_(Q), y_(Q)) of a straight linepassing through rational points ((2χ−1)pS, −pS), and a value l₄ at therational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p¹⁰((2χ−1) pS), 2χpS), and the fourth computation unitcomputes f′ _(χ,S)(Q) using the values of the rational point Q (x_(Q),y_(Q)) l₁, l₂, l₃, l₄ as [F20]f′ _(χ,S)(Q)={f _(2χ,S)(Q)·l ₁ ⁻¹}^(p) ¹⁰ ·f _(2χ,S)(Q)·l ₂)^(p) ·{f_(2χ,pS)(Q)·l ₃ ⁻¹}^(p) ¹⁰ ·f _(2χ,pS)(Q)·l ₄.
 18. A pairing computationmethod, wherein an elliptic curve is given as y²=x³+b, b∈F_(p), lettingan embedding degree be 12, E be an additive group constituted ofrational points on the pairing enabled elliptic curve defined over anextension field F_(p) ¹², E[r] be a set of rational points having aprime order r, and φ_(p) be a Frobenius endomorphism, a pairing e isdefined usingG ₁ =E[r]∩Ker(φp−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ¹²/(F*_(p) ¹²)^(r), an electronic computer which includesa CPU computes the pairing e (S, Q), by letting S∈G₁, Q∈G₂, χ be a giveninteger variable, and f_(2χ,S)(Q) be a rational function which iscalculated using Miller's algorithm, the order r and a trace t of theFrobenius endomorphism φ_(p) being specified using the integer variableχ as,r(χ)=36χ⁴−36χ³+18χ²−6χ+1,t(χ)=6χ²+1, and a representation of the integer variable χ using p¹⁰with p as a characteristic beingp≡(2χ−1)p¹⁰+2χ(modr(χ)), the pairing computation method comprising: aninput step which inputs the integer variable χ, the rational point S,and the rational point Q into respective predetermined registers bycausing the CPU of the electronic computer to function as an input unit; a first computation step which computes f_(2χ,S)(Q) and f_(2χ,pS)(Q)by causing the CPU of the electronic computer to function as a firstcomputation unit ; a second computation step which computes givenrational points using 2χS and 2χpS which are calculated when computingsaid f_(2χ,S) (Q) and f_(2χ,pS)(Q) by causing the CPU of the electroniccomputer to function as a second computation unit; a third computationstep which computes a value at a rational point Q(x_(Q), y_(Q)) of astraight line passing through the given rational points by causing theCPU of the electronic computer to function as a third computation unit;a fourth computation step which computes f′ _(χ,S)(Q) using saidf_(2χ,S)(Q) and said value by causing the CPU of the electronic computerto function as a fourth computation unit; and a fifth computation stepwhich computes the pairing e(S, Q) using said f′ _(χ,S)(Q) as [F21]e(S, Q)=f′ _(χ,S)(Q)^((p) ¹² ^(−1)/r). by causing the CPU of theelectronic computer to function as a fifth computation unit.
 19. Thepairing computation method according to claim 18, wherein the secondcomputation step computes respective rational points −S, (2χ−1)S,p¹⁰((2χ−1)S), −pS, (2χ−1)pS, p¹⁰((2χ−1)pS) in order using previouslyobtained results, the third computation step respectively computes avalue l₁ at a rational point Q(x_(Q), y_(Q)) of a straight line passingthrough rational points ((2χ−1)S, −S), a value l₂ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points(p¹⁰((2χ−1)S), 2χS), a value l₃ at the rational point Q(x_(Q), y_(Q)) ofa straight line passing through rational points ((2χ−1)pS, −pS), and avalue l₄ at the rational point Q(x_(Q), y_(Q)) of a straight linepassing through rational points (p¹⁰((2χ−1)pS), 2χpS), and the fourthcomputation step computes f′ _(χ,S)(Q) using the values of the rationalpoint Q(x_(Q), y_(Q)) l₁, l₂, l₃, l₄ as [F22]f′ _(χ,S)(Q)=({f _(2χ,S)(Q)·l ₁ ⁻¹}^(p) ¹⁰ ·f _(2χ,S)(Q)·l ₂)^(p) ·{f_(2χ,pS)(Q)·l ₃ ⁻¹}^(p) ¹⁰ ·f _(2χ,pS)(Q)·l ₄.
 20. A recording mediumstoring a pairing computation program, wherein an elliptic curve isgiven as y²=x³+b, b∈F_(p), letting an embedding degree be 12, E be anadditive group constituted of rational points on the pairing enabledelliptic curve defined over an extension field F_(p) ¹², E[r] be a setof rational points having a prime order r, and φ_(p) be a Frobeniusendomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φp−[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ¹²/(F*_(p) ¹²)^(r), the pairing computation programcauses an electronic computer which includes a CPU to compute thepairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a given integer variable,and f_(2χ,S)(Q) and f_(2χ,S)(Q) be a rational function which iscalculated using Miller's algorithm, the order r and a trace t of theFrobenius endomorphism φ_(p) being specified using the integer variableχ as,r(χ)=36χ⁴36χ³+18χ²6χ+1,t(χ)=6χ²+1, and a representation of the integer variable χ using p¹⁰with p as a characteristic beingp≡(2χ−1)p¹⁰+2χ(modr(χ)), the pairing computation program causing the CPUof the electronic computer to function as: an input unit which inputsthe integer variable χ, the rational point S, and the rational point Qinto respective predetermined registers; a first computation unit whichcomputes f_(2χ,S)(Q) and f_(2χ,S)(Q); a second computation unit whichcomputes given rational points using 2χS and 2χpS which are calculatedwhen computing said f_(2χ,S)(Q) and f_(2χ,S)(Q); a third computationunit which computes a value at a rational point Q(x_(Q), y_(Q)) of astraight line passing through the given rational points; a fourthcomputation unit which computes f′ _(χ,S)(Q) using said f_(2χ,S)(Q) andsaid value; and a fifth computation unit which computes the pairing e(S,Q) using said f′ _(χ,S)(Q) as [F23]e(S, Q)=f′ _(χ,S)(A)^(p) ¹² ^(−1)/r).
 21. The recording medium storing apairing computation program according to claim 20, wherein The pairingcomputation program causes: the CPU of the electronic computer whichfunctions as the second computation unit to compute respective rationalpoints −S, (2χ−1)S, p¹⁰((2χ−1)S), −pS, (2χ−1)pS, p¹⁰((2χ−1)pS) in orderusing previously obtained results; the CPU of the electronic computerwhich functions as the third computation unit to respectively compute avalue l₁ at a rational point Q(x(_(Q), y_(Q)) of a straight line passingthrough rational points ((2χ−1)S, −S), a value l₂ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points(p¹⁰((2χ−1)S), 2χS), a value l₃ at the rational point Q(s_(Q), y_(Q)) ofa straight line passing through rational points ((2χ−1)pS, −pS), and avalue l₄ at the rational point Q(x_(Q), y_(Q)) of a straight linepassing through rational points (p¹⁰((2χ−1)pS), 2χpS); and the CPU ofthe electronic computer which functions as the fourth computation unitto compute f′ _(χ,S)(Q) using the values of the rational point Q (x_(Q),y_(Q)) 1₁, l₂, l₃, l₄ as [F24]f′ _(χ,S)(Q)=({f _(2χ,S)(Q)·l ₁ ⁻¹}^(p) ¹⁰ ·f _(2χ,S)(Q)·l ₂)^(p) ·{f_(2χ,pS)(Q)·l ₃ ⁻¹}^(p) ¹⁰ ·f _(2χ,pS)(Q)·l ₄.
 22. A pairing computationdevice, wherein an elliptic curve is given as y²=x³°ax, a∈F_(p), lettingan embedding degree be 8, E be an additive group constituted of rationalpoints on the pairing enabled elliptic curve defined over an extensionfield F_(p) ⁸, E[r] be a set of rational points having a prime order r,and φ_(p) be a Frobenius endomorphism, a pairing e is defined usingG ₁ =E[r]χKer(φ_(p)−[1]),G ₂ =E[r]χKer(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ⁸/(F*_(p) ⁸)^(r), the pairing computation devicecomprising a CPU which computes the pairing e(S, Q), by letting S∈G₁,Q∈G₂, χ be a given integer variable, and f_(3χ,S)(Q) be a rationalfunction which is calculated using Miller's algorithm, wherein the orderr and a trace t of the Frobenius endomorphism φ_(p) are specified usingthe integer variable χ as,r(χ)=9χ⁴+12χ³+8χ²+4χ+1,t(χ)=−9χ³−3χ²−2χ, and a representation of the integer variable χ usingp² and p³ with p as a characteristic isp³≡p²+3χ+1(modr(χ)) and the CPU includes: an input unit which inputs theinteger variable χ, the rational point S, and the rational point Q intorespective predetermined registers; a first computation unit whichcomputes f_(3χ,S)(Q) and f_(3χ,p̂3S)(Q); a second computation unit whichcomputes respective rational points p²(S), (3χ+1)S, p²(p³S), (3χ+1)p³Sin order using previously obtained results; a third computation unitrespectively computes a value l₅ at a rational point Q(x_(Q), y_(Q)) ofa straight line passing through rational points (3χS, S), a value l₆ atthe rational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p²(S), (3χ+1)S), a value l₇ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points(3χp³S, p³S), and a value l₈ at the rational point Q(x_(Q), y_(Q)) of astraight line passing through rational points (p²(p³S), (3χ+1)p³S); andthe fourth computation unit which computes f′ _(χ,S)(Q) using thecomputation result of the first computation unit and the computationresult of the third computation unit as [F25]f′ _(χ,S)(Q)=(f _(3χ,S)(Q)·l ₅ ·l ₆)^(p) ³ f _(3χ,p) ³ _(S)(Q)·l ₇ ·l ₈;and a fifth computation unit which computes the pairing e(S, Q) usingsaid f′ _(χ,S)(Q) as [F26]e(S, Q)=f′ _(χ,S)(Q)^((p) ⁸ ^(−1)/r).
 23. A pairing computation method,wherein an elliptic curve is given as y²=x³+ax, a∈F_(p), letting anembedding degree be 8, E be an additive group constituted of rationalpoints on the pairing enabled elliptic curve defined over an extensionfield F_(p) ⁸, E[r] be a set of rational points having a prime order r,and φ_(p) be a Frobenius endomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂→F*_(p) ⁸/(F*_(p) ⁸)^(r), an electronic computer which includes aCPU computes the pairing e(S, Q), by letting S∈G₁, Q∈G₂, χ be a giveninteger variable, and f_(3χ,S)(Q) be a rational function which iscalculated using Miller's algorithm, the order r and a trace t of theFrobenius endomorphism φ_(p) being specified using the integer variableχ as,r(χ)=9χ⁴+12χ³+8χ²+4χ+1,t(χ)=−9χ³−3χ²−2χ, and a representation of the integer variable χ usingp² and p³ with p as a characteristic beingp³≡p²+3χ+1(modr(χ)) the pairing computation method comprising: an inputstep which inputs the integer variable χ, the rational point S, and therational point Q into respective predetermined registers by causing theCPU of the electronic computer to function as an input unit; a firstcomputation step which computes f_(3χ,S)(Q) and f_(3χ,p̂3S)(Q) by causingthe CPU of the electronic computer to function as a first computationunit; a second computation step which computes respective rationalpoints p² (S), (3χ+1)S, p²(p³S), (3χ+1) p³S in order using previouslyobtained results by causing the CPU of the electronic computer tofunction as a second computation unit; a third computation step whichrespectively computes a value l₅ at a rational point Q(x_(Q), y_(Q)) ofa straight line passing through rational points (3χS, S), a value l₆ atthe rational point Q(x_(Q), y_(Q)) of a straight line passing throughrational points (p²(S), (3χ+1)S), a value l₇ at the rational pointQ(x_(Q), y_(Q)) of a straight line passing through rational points(3χp³S, p³S), and a value l₈ at the rational point Q(x_(Q), y_(Q)) of astraight line passing through rational points (p²(p³S), (3 x+1).p³S) bycausing the CPU of the electronic computer to function as a thirdcomputation unit; and a fourth computation step which computes f′_(χ,S)(Q) using said f_(3χ,S)(Q) and said f_(3χ,p̂3S)(Q) and said valuesl₅, l₆, l₇, l₈ as [F27]f′ _(χ,S)(Q)=(f _(3χ,S)(Q)·l ₅ ·l ₆)^(p) ³ f _(3χ,p) ₃ _(S)(Q)·l ₇ ·l ₈;by causing the CPU of the electronic computer to function as a fourthcomputation unit; and a fifth computation step which computes thepairing e(S, Q) using said f′ _(χ,S)(Q) as [F28]e(S, Q)=f′ _(χ,S)(Q)^((p) ⁵ ^(31 1)/r) by causing the CPU of theelectronic computer to function as a fifth computation unit.
 24. Arecording medium storing a pairing computation program, wherein anelliptic curve is given as y²=x³+ax, a∈F_(p), letting an embeddingdegree be 8, E be an additive group constituted of rational points onthe pairing enabled elliptic curve defined over an extension field F_(p)⁸, E[r] be a set of rational points having a prime order r, and φ_(p) bea Frobenius endomorphism, a pairing e is defined usingG ₁ =E[r]∩Ker(φ_(p)−[1]),G ₂ =E[r]∩Ker(φ_(p) −[p]), as a non-degenerate bilinear mape:G₁×G₂F*_(p) ⁸/(F*_(p) ⁸)^(r), the pairing computation program causesan electronic computer which includes a CPU to compute the pairing e(S,Q), by letting SχG₁, QχG₂, χ be a given integer variable, andf_(3χ,S)(Q) be a rational function which is calculated using Miller'salgorithm, the order r and a trace t of the Frobenius endomorphism φ_(p)being specified using the integer variable χ as,r(χ)=9χ⁴+12χ³+8χ²+4χ+1,t(χ)=−9χ³−3χ²−2χ. and a representation of the integer variable χ usingp² and p³ with p as a characteristic beingp³≡p²+3χ+1(modr(χ)) the pairing computation program causing the CPU ofthe electronic computer to function as: an input unit which inputs theinteger variable χ, the rational point S, and the rational point Q intorespective predetermined registers; a first computation unit whichcomputes f_(3χ,S)(Q) and f_(3χ,p̂3S)(Q); a second computation unit whichcomputes respective rational points p²(S), (3χ+1)S, p²(p³S), (3χ+1)p³Sin order using previously obtained results; a third computation unitwhich respectively computes a value l₅ at a rational point Q (x_(Q),y_(Q)) of a straight line passing through rational points (3χS, S), avalue l₆ at the rational point Q (x_(Q), y_(Q)) of a straight linepassing through rational points (p²(S), (3χ+1)S), a value l₇ at therational point Q (x_(Q), y_(Q)) of a straight line passing throughrational points (3χp³S, p³S), and a value l₈ at the rational point Q(x_(Q), y_(Q)) of a straight line passing through rational points(p²(p²S), (3χ+1)p³S); and a fourth computation unit which computes f′_(χ,S)(Q) using said f_(3χ,S)(Q) and said f_(3χp̂3S)(Q) and said valuesl₅, l₆, l₇, l₈ as [F29]f′ _(χ,S)(Q)=(f _(3χ,S)(Q)·l ₅ ·l ₆)^(p) ³ f _(3χ,p) ₃ _(S)(Q)·l ₇ ·l ₈;and a fifth computation unit which computes the pairing e (S, Q) usingsaid f′ _(χS)(Q) as [F30]e(S, Q)=f′ _(χ,S)(Q)^((p) ⁸ ^(−1)/r).